Cyber risk and regulatory compliance are two sides of the same coin in the financial services sector. Together, they spur financial services companies to take action to protect customers, their business and the global financial ecosystem from the malicious cyberattacks or the risk of critical system failures.
As we enter a fast-paced new era of cloud, FS firms – and financial departments for that matter –are striving for agility and efficiency by outsourcing core infrastructure and processes to strategic third-party service providers. At the same time the risk environment also evolves. The challenge lies in the fact that it does so far faster than the regulatory system.
Regulators are left playing catch-up trying to identify the critical risks emerging in a landscape where cloud migration is growing at pace. Do they fully understand the concentration and systemic risks associated with, for example, multiple FS firms choosing the same cloud service provider? How can they develop regulatory frameworks that protect customers and financial ecosystems but still allow for innovation?
The result is that we tend to see regulatory lags, followed by significant corrections where new regulations are introduced that have a major impact on the sector and bring compliance to the top of the corporate agenda. That is what we are seeing right now across Europe and worldwide.
In particular, the implementation of the European Banking Authority’s Outsourcing Guidelines on 30th September 2019 provides a framework for third party engagements that lays ultimate accountability firmly at the door of the Board of FS Firms.
So what does this mean in practical terms for FS firms and how should they respond?
Accountability and risk governance drive regulatory frameworks
Whether we’re looking at European Banking Authority Guidelines, the European Central Bank’s Cyber Resilience Oversight Expectations (CROE) or any of the numerous European regulations coming into force in the next 18 months, there are two overarching themes that financial services firms will have to put at the heart of their compliance workflows:
- Companies must establish Board-level accountability for the strategic management of cyber security.
- Firms must have effective and appropriate governance in place to manage risk and monitor not only its own performance, but also that of third parties.
The challenge for FS firms will be complying with these regulations while minimising the impact on business flexibility and performance. This will require a change in pace and mindset around how they think about risk monitoring, reporting and management.
Better communication and smart technology pave the way for effective compliance
As the Board shoulders ultimate responsibility for cyber security, it will also need evidence to prove it has done so.
Directors will need regular and robust reports and meaningful metrics on which to assess the ongoing effectiveness of security measures and direct the strategic allocation of resources to manage risk. These metrics provide evidence that the organisation is following the required regulations and aiming to improve security performance over time.
In recognition of the dynamic nature of cyber-risk, Boards are also required to conduct regular cyber resilience self-assessments to evaluate the FMIs cyber maturity. Again, this requires metrics against which to measure and monitor maturity.
Key to achieving both these goals is the speed at which FS firms must be able to conduct assessments – if it takes three months to establish the full security posture, the report will be three months out of date.
Extending into third party risk management
The extension of risk management to third parties presents interesting challenges. Regulators have highlighted that outsourcing core services such as cloud infrastructure and data processing to third party suppliers exposes system resilience and client data to additional risk. Additionally, the EBA guidelines recognise that the interconnected nature of vendor networks means a firm that might have low relevance from a business perspective may become vulnerable though poor security performance and become a source of risk propagation.
The regulations are clear that the responsibility of managing third party risk lies with the primary organisation and that effective management processes must be implemented to continuously assess and monitor the security performance of third-party vendors. Current approaches to third party risk management, which offer only a snapshot of performance at the time of assessment, will not suffice. To proactively mitigate risk, FS firms need automated tools and smart technology that continuously measures and monitors the security performance of vendors.
Developing and implementing the processes and metrics to ensure ongoing compliance with escalating regulation will be a defining challenge for financial services firms over the coming years. This step change in regulatory focus should be a wake-up call to all businesses that dynamic, real-time approaches are needed, supported by robust metrics to guide strategic security decision-making.
In recognition of the challenges ahead, BitSight has developed a comprehensive whitepaper examining how emerging regulations will impact FS firms across Europe, identifying the common themes and governance requirements and exploring the smart, real-time technology solutions that can help FS Firms comply and demonstrate resilience while continuing to drive innovation and transformation.