How should financial services boards respond to growing cyber risks?
The EMEA Centre for Regulatory Strategy
The WannaCry cyber-attack early this year did not hit financial services (FS) firms as directly as it did some other industries, but its sheer scale across more than 150 countries and the level of disruption caused by the ransomware it deployed will force all businesses to re-examine their preparation for a major cyber event. In financial services, an industry characterised by the highest levels of interconnectivity, enhancing cyber resilience has been an urgently growing priority for firms and their boards.
Financial regulators are playing a large part in pushing this forward, with 2016 and 2017 seeing a flurry of new rules and heightened expectations for how FS firms manage their cyber resilience. Importantly, however, regulators and supervisors are also starting to take a closer look at how effectively FS boards engage on cyber risk issues and how non-executive directors (NEDs) access the necessary expertise to be able to provide oversight and challenge of management on this topic.
From a board perspective, growing cyber threats and increased supervisory scrutiny of firms’ resilience raises at least three questions that need to be answered:
- What kind of expertise do NEDs need in cyber security?
- How should cyber resilience be governed within firms?
- What kind of Management Information (MI) on cyber should a board receive?
Cyber as a growing source of regulatory risk for FS boards
The importance of cyber threats as a growing source of risk for FS firms is not in doubt. Deloitte’s 2017 Cyber Reporting Survey found that 89% of FS firms in the FTSE 100 identified cyber threats as a principal risk in their annual reports, and 76% indicated that they expected this risk to increase in the coming year.
The challenge is that there is much less consensus in the financial sector around what the appropriate governance response to cyber risk is. For instance, the same Deloitte survey found that only a very small share of FS firms in the FTSE 100 publicly disclosed having a director on their board with experience relevant to cyber security or conducting board-level training on cyber issues.
Supervisors, however, are taking a larger interest in verifying that firms have effective internal governance structures suited to deal with cyber risk. The European Banking Authority’s (EBA) Guidelines on the supervisory assessment of Information and Communications Technology (ICT) risk in banks, published this month, emphasises the importance of a strong oversight framework in the assessment of a bank’s susceptibility to cyber risks. Similarly, the Advance Notice of Proposed Rulemaking (ANPR) on cyber risk issued by the U.S. federal regulatory agencies in 2016 stresses the active role that NEDs must play in setting a firm’s cyber risk appetite, and ensuring that the implementation of cyber resilience initiatives are in line with their policies.
An important shift here has been the gradual evolution of supervisory concerns from being primarily focused on the consumer protection and privacy risks of cyber threats, to becoming increasingly concerned with its potential systemic implications. What WannaCry demonstrated was that a global cyber-attack can cause long-lasting disruptions in organisations as well-established and diverse as telecoms companies, railway operators, major hospitals and the Russian interior ministry. We think it’s a safe assumption that the appetite of regulators to see similar standstills in cashpoints, exchanges, payments infrastructures and clearing houses is next to nil.
How FS boards can respond to supervisory expectations on cyber risk
Boards are well placed to get ahead of this trend and not be caught on the back foot by rising supervisory expectations. When thinking about how boards engage with their firms’ cyber resilience activities, a good place to start is with the three questions introduced at the start of this blog:
- Specialist cyber expertise on the board: It’s clear enough that board members shouldn’t abdicate responsibility for cyber issues to just one of their members. Given the active role they need to play collectively in setting a firm’s cyber risk appetite and cyber resilience strategy, all NEDs should be able to show that they have taken steps to build a stronger understanding of cyber risks and have developed a practised response to cyber breaches for when they occur. This can include holding regular briefings and scenario-based exercises with the whole board or at the level of the responsible committee. Beyond this, however, boards still need to consider how they access deeper expertise in cyber in order to demonstrate to their supervisors that they can understand and effectively challenge management in often technical and jargon-heavy briefings on cyber issues. Firms have taken different approaches here, but having an independent cyber or IT expert either on or advising the board could increasingly become part of the solution, as could having a member with a background in signals intelligence.
Internal governance of cyber risks: Boards need to see that effective governance structures and procedures are put in place across their firms for handling, escalating and reporting cyber-related information to them. This includes clarifying the roles and interaction of the Chief Information Officer (CIO), the Chief Operating Officer (COO) and Chief Risk Officer (CRO) and demonstrating that cyber resilience is not organisationally siloed as an IT concern. We expect the creation of a “Chief Operations” function under the Senior Managers Regime, responsible for the resilience and continuity of internal technology, to drive the clarification of cyber resilience governance within firms there. In the UK, they expect the UK Financial Conduct
- Authority’s efforts to assess the effectiveness of instilling a “security culture” in firms to shine a light on areas where insufficient efforts by boards to set a “tone from the top” on cyber security and resilience practices may create vulnerabilities. Similar levels of supervisory pressure should also evolve quickly in other key financial jurisdictions.
- MI on cyber readiness: Boards need to ensure that the MI they receive paints a comprehensive picture of a firm’s cyber readiness. As discussed in our Regulating Cyber Resilience blog last year, we see three areas that board MI needs to cover. The first is cyber risk identification; how comprehensively a firm has mapped its cyber risk exposure, including risks arising from third parties, and if it can identify critical systems and explain the interdependencies between them in a cyber-event. In this respect, applying a cyber-risk lens to M&A decisions should increasingly become part of a board’s basic considerations going forward. The second has to do with cyber risk governance, as discussed above, but particularly for MI on the effectiveness of the first and second lines of defence in communicating with each other and escalating potential cyber threats. This could include data on the frequency and speed of escalation of breach reporting, compared to industry or business-line averages. The third is MI covering the cyber resilience of firms to respond to breaches. MI here will be challenging to collect and interpret given how different cyber risks are from financial ones, the lack of a history of losses and the potential for unexpected correlations in cyber breaches (i.e. WannaCry targeting healthcare, logistics, transport and telecoms all simultaneously). One benchmark boards should look to see evidence of in their MI is the ability of their firm to bring critical systems back online within the 2-hour downtime window set by IOSCO/CPMI for market infrastructures and repeated in the US ANPR for significant banks.
Given how cyber-attacks like WannaCry and GoldenEye can swiftly, and not always predictably, drive the regulatory and supervisory response to cyber risks, FS firms have to get on the front foot in managing their cyber resilience. This underscores the need for their boards to re-assess their engagement with their firms’ cyber resilience activities and to think about how they ensure they are able to keep pace with the rapidly evolving nature of cyber threats that the industry now faces.