Regulatory Outlook 2017: Cyber and IT Resilience
More specific and more demanding
Deloitte's EMEA Centre for Regulatory Strategy has recently published the report ‘Financial Markets Regulatory Outlook 2017’. This report provides their annual assessment of how major regulatory developments will shape the financial services industry next year, which makes cyber and IT resilience an important topic to discuss.
Heightened interest in the ability of firms to cope with rising cyber risks and obsolete IT infrastructure set the scene for a more active supervisory approach to these issues in 2017. Technological failures, cyber-crime and data breaches will spur supervisors to work more closely together to identify ways in which firms and the financial networks they rely on can become less susceptible to these challenges. Increased cyber resilience is aimed to be achieved with the following action points:
- The focus of supervisors on cyber resilience will continue to increase, and they will begin to articulate more detailed expectations of firms.
- Supervisors will expect firms to demonstrate that they have put in place effective threat detection systems, robust (communication) plans, and have designed a solid governance structure.
- Resilience plans will need to be put through organization-wide tests and red-team exercises, in order to generate data that demonstrates the actual resilience of an institution.
- Supervisors will look for firms to more routinely share real-time cross-industry information with their peers on cyber-threats as they arise.
Banking and capital markets
Supervisors are likely to scale up their cyber activity at different paces, but banks and FMI’s should be the first to expect increased scrutiny. The late-2016 consultation by US regulatory agencies on Enhanced Cyber Risk Management Standards cleared a path for more detailed expectations that we expect to see EU regulators follow in the coming year. Most of this activity will likely occur through the normal supervisory process, but could also result in special investigations if certain breaches or deficiencies are identified. Banks and FMI’s will also feel increasing pressure to appoint someone with practical cyber and IT experience to their board.
Although supervisory pressure will be most focused on banks and FMI’s, investment managers should carefully consider the spillover of supervisory expectations into their sector as well. Cyber and IT concerns for investment managers are more likely to materialise around the security of critical client data, and its potential leakage following unintentional or deliberate acts. Third-party providers working with investment managers could also be a source of exposure to cyber risks, and managers may have to increasingly assess whether their vendors have adequate security controls and incident response plans in place.
The increasing digitisation of insurance business and more online interaction with customers will open the sector to new sources of cyber and IT systems risks. In keeping with their banking counterparts, insurance supervisors will assess board understanding, oversight and readiness in this area and will look to ensure that insurance firms have appropriate plans in place to protect data as digitisation gathers pace. From a different perspective, cyber security concerns in the financial and non-financial sectors present a growing opportunity for general insurers and reinsurers as companies increasingly look to insure against their exposure to cyber risk. The PRA, however, has already indicated that it expects insurers to be able to adequately identify, quantify and manage their cyber insurance underwriting risk.