Head of Cyber Security and ICT Risk, Nick Gumbley discusses in this blog the top cyber security questions you, as a compliance professional should be asking your Chief Information Security Officer (CISO).
As a compliance professional in a regulated financial services business, it is sometimes unclear where responsibilities for your firm’s compliance start and where they end.
Cyber security has never been a more important area of compliance, so you need to make sure you are doing everything you can to comply with the relevant legislation while protecting your business from cyber attack.
The regulator’s expectations
The FCA and Central Bank of Ireland have increased their scrutiny of the technology components, fraud systems and controls and cyber / ICT security arrangements of regulated financial services institutions considerably in recent years.
The marrying of financial services with technology has brought many challenges. One such challenge is that very few heads of compliance can claim to be a specialist in all the areas they need to be. They are more likely to have expertise in fraud and money laundering and turn to the Chief Information Security Officer for oversight of the technology and information security.
This points to one of the primary difficulties – how do we make sure we are all speaking the same language?
fscom’s Head of Cyber Security and ICT Risk takes you through the following key questions you should be asking your CISO to ensure the right systems and controls are in place to meet the expectations of the regulator.
- What are the cyber threats and risks that our business faces?
The first question should look at the cyber threats currently out there, identify the vulnerabilities in your business operations and assess the risk these pose to your business. Only through identifying the cyber risks facing your business, can you then decide how to deal with them.
Risk frameworks have served businesses very well over the years and your business is likely to have a cyber security risk framework in place. So, make sure your CISO has identified the key risks and prioritised them by likelihood and impact. The mitigating effect of the cyber measures you have in place to reduce risk (i.e. your controls) should be applied to specific risks and the risk re-assessed. Risks which are still unacceptable must be identified and an action plan put in place to address them.
Another key question would be when was the risk assessment conducted and reported to the senior team and when will it be revisited?
- Do we have adequate oversight and challenge at board and senior executive level?
Tone from the top is crucial. Cyber security is no longer a responsibility which can be fully delegated to the CISO, it should be high on every Board agenda.
Every director should have a good understanding of cyber security risk, the potential impact on the functions or business service they are responsible for and the measures in place to mitigate that risk. Otherwise, the importance and culture of cyber security will not filter through to the rest of the company.
The risk assessment should provide the board of directors and senior executives with the assurance that all relevant risks have been identified and mitigated.
- Do we have the appropriate controls in place with our third-party supply chain?
Organisations of any size will rely on a range of vendors, partners and suppliers. Increasingly financial services firms outsource IT infrastructure to third party cloud service providers and key systems are provided on a ‘software as a service’ (SaaS) basis, increasing reliance on third parties for critical business services. that provide services to enable businesses to function.
There are a number of implications and risks associated with outsourcing to third party suppliers who may hold highly sensitive information, customer details, financial information, intellectual property, etc. which could be used by attackers to compromise the organisation.
Organisations need to impose the same security policies for all third party suppliers and partners as they do for themselves. This is done through contracting and contract management against agreed Service Level Agreements (SLAs).
Many suppliers have a range of independent assurance such as ISO 27001 certifications or SOC2 reports which can be used to assess cyber control effectiveness. Caution is necessary though as such reports can have limited scope and are valid only at a point in time.
Many firms use third party self-assessment questionnaires (SAQs) but we also find that proactively developing good relationships with your suppliers is as important as an annual risk assessment review and / or completion of a self-assessment questionnaire.
- How are we mitigating the cyber threats to our business?
It is vital to understand how you are mitigating the cyber threats posed to your business.
The first step is understanding what your risk profile is. The second is agreeing what your priorities as a business are and what resources are available for cyber security.
There are numerous actions that can be taken with an emphasis on good IT hygiene for example using a VPN, implementing best practice password processes, managing identity and access processes and particularly privileged access, and securing sensitive data.
Address the people aspect through good training on the risks, employees’ responsibilities and how to follow your processes when a potential security event arises.
Having the right mindset and culture within the business and regularly updating and training your employees through continual education on cyber security has proven benefits.
- Are we testing our systems and controls regularly?
Knowing if your systems and controls work is central to effectively mitigating cyber risk. A controls monitoring, testing and audit framework should be in place.
When did you last test cyber controls? What if something goes wrong at 3am on a Sunday – what do you do? Make sure your team knows what to do if an incident happens.
Regular penetration tests should be an important part of your cyber security testing framework. The objective of a penetration test is to find the security weaknesses that could potentially be exploited.
Many companies fail to conduct regular penetration tests, falsely assuming the company is safe however new threats are arising every day.
Test your employees’ responses to phishing emails and plan to improve their responses through training and awareness campaigns.
Many businesses are very quick to channel resources into restoring systems following a serious cyber incident yet fail to prepare in preventing the incident itself or even have a structured way to respond.
- Are we seeking external input on the current threats and effectiveness of our systems and controls?
Threat modelling and threat intelligence is useful and powerful. It allows you to be alerted to threats and understand them in a better way and how consider and practice mitigating the risk of the threat. Ensure you do not put barriers in the way of security improvements and listen to your security teams.
Cyber security should be included in your firms audit strategy and when planning for independent, external audit, the risk posed by cyber events should be addressed by your Board or Audit Committee.
Be proactive in your approach to cyber threat. You should not just respond when an incident happens. You need to anticipate and embrace prevention.
- Are our incident response and disaster recovery plans up to date and recently tested?
The FCA has recently published guidance on operational resilience and the Central Bank of Ireland is consulting on similar guidance, mainly because of the significant failings in payments firms where customers can be without access to essential funds for day to day activities if there’s a break in the supply chain.
Such a cyber incident can be one that creates wide ranging and detrimental reputational business damage. Firms should have plans in place which specifically focus on key systems and processes used to deliver services. These plans should be tested every year to assess their effectiveness in responding to and mitigating the potential damage of cyber events. These tests should be recorded, lessons learned and a remediation plan put in place.
- If there was a breach or incident, how long would it be until we were 100% operational again?
This is a very important question. However, cyber security experts agree that the question is no longer ‘if’ you are breached but ‘when’ you are breached. It can take months to discover there has been a data breach. Operationally resilient organisations will have effective business continuity, disaster recovery and incident response management procedures in place which can save companies a significant amount of time in identifying and containing the incident.
Plans must be tested regularly to establish how long it would take for the business to be fully operational again.
- Have we invested adequately in countering cyber threats?
A strategic approach to cyber security investment should be taken. Investing adequately to counter cyber threats is not always about purchasing expensive hardware. You need to take time to understand the specific risk profile of your business, your constraints and the effect a ‘do nothing’ approach would have on your business and your risk exposure.
Planning a clear, costed and resourced cyber security strategy is an effective approach to countering cyber threat. Spending time getting the culture right, and getting the training right will also pay dividends as prevention is always much cheaper than remediation.
- Are our staff well trained and aware of potential cyber threats?
25% of data breaches were due to negligent employees or contractors.
Supporting people to make better decisions through training is always part of the solution when it comes to compliance. Scenario based interactive training works best. When possible, the delivery of training through a scenario or playbook created specifically for an event type will really help employees understand their role and how they can support the resolution of a security or business continuity incident.
Training should be appropriate for the roles the attendees perform and should be relevant to their functions. Regular and tailored training for your user roles can really make a difference in helping to identify and mitigate the risk of cyber attack.
If you have any questions regarding the regulator’s expectations of your firm or require advice on how you can ensure the right systems and controls are in place, get in touch with us today.
Follow us on LinkedIN for regular updates.