Following the Financial Conduct Authority’s (FCA) multi-firm review of cybersecurity in the asset management and wholesale banking sectors back in 2017 and 2018, the key findings have been published.
The FCA outlines how boards and management committees understand and manage the cyber risks their firms face and how effective second line functions are in overseeing the identification and management of cyber risks. There is a concern that boards and management committees have limited knowledge on the cyber risks facing their organisations despite the overall growing regulatory focus on cyber security in the financial services sector. This is further weakened by the second line of defence’s inadequate technical cyber-expertise and the limited ability to challenge the first line of defence on such issues.
In particular, the FCA highlights that there was limited evidence of firms actively trying to "connect the dots" between cyber and conduct risk, which may occur through cyber channels like market abuse and financial crime. Firms are encouraged to consider how they could be incorporating cybersecurity risks into their approach to conduct risk. This involves moving away from seeing cyber as an IT issue to an issue that is an organisation-wide priority. The FCA notes that there is also a risk where a firm relies on group-level arrangements and slips away from addressing any gaps when trying to align the firm’s specific risks.
In its findings, the FCA did observe some firms adopting an effective approach with regards to third-party vendor risk management which involved the firm identifying and engaging with stakeholders across the business for each supplier. This model, which is different to a purely centralised vendor management function, appears to have effective oversight and resilience benefits.
Data and information about products, clients and business services are central to asset management and wholesale banking activities. A significant failure by a firm in these sectors to manage cybersecurity effectively could cause serious harm to its clients and to the markets in which it operates.