A review of how well boards and management committees understand and manage the cyber risks their firms face has revealed that many should take more proactive steps to foster a security-centric culture which transforms cyber from an IT issue to an organisation-wide priority.
The Financial Conduct Authority (FCA) carried out a cyber security multi-firm review with a sample of 20 firms in the asset management and wholesale banking sectors. The firms selected varied in terms of their size, scale, operating models, and geography.
Among its findings, the FCA review found that many firms ‘need to do more to ensure that board and management committee cyber security decisions are based on careful consideration of the cyber risks arising from the nature, scale and complexity of the firm’s activities and risk profile’.
It adds: ‘Where a firm relies on group-level or other centralised arrangements, management committees and boards should carefully assess whether these are fully aligned with the firm’s specific risks and ensure they address any identified gaps’.
One of the more prominent areas of discussion for the review was Management Information (MI) and the key role it plays for senior management. ‘All board members and senior management would like to receive MI which is clear, thoughtfully designed and easily understandable’, the report explains. ‘The design of MI is critical, particularly when boards need to be sighted on and understand the risks an organisation faces on an ongoing basis, and where it is relevant to risk appetite’.
The FCA stated that its discussions with the firms sampled suggested that the solution to the MI issue on cyber security was ‘not simply providing a large quantity of detailed key performance indicators (KPIs) and key risk indicators (KRIs)’: ‘Too much detail or detail without context was seen as counter-productive, as it affects boards’ ability to identify meaningful trends, particularly for those who are not familiar with cyber security challenges’.
Several asset management firms had experimented with different formats of MI on operational resilience issues, including cyber security, to refine the quality and effectiveness of the papers they gave to their board.
A summary of the review’s work and conclusions can be accessed at http://bit.ly/FCAreview