A review of how well boards and management committees understand and manage the cyber risks their firms face has revealed that many should take more proactive steps to foster a security-centric culture which transforms cyber from an IT issue to an organisation-wide priority.
The Financial Conduct Authority (FCA) carried out a cyber security multi-firm review with a sample of 20 firms in the asset management and wholesale banking sectors. The firms selected varied in terms of their size, scale, operating models, and geography.
Among its findings, the FCA review found that many firms āneed to do more to ensure that board and management committee cyber security decisions are based on careful consideration of the cyber risks arising from the nature, scale and complexity of the firmās activities and risk profileā.
It adds: āWhere a firm relies on group-level or other centralised arrangements, management committees and boards should carefully assess whether these are fully aligned with the firmās specific risks and ensure they address any identified gapsā.
One of the more prominent areas of discussion for the review was Management Information (MI) and the key role it plays for senior management. āAll board members and senior management would like to receive MI which is clear, thoughtfully designed and easily understandableā, the report explains. āThe design of MI is critical, particularly when boards need to be sighted on and understand the risks an organisation faces on an ongoing basis, and where it is relevant to risk appetiteā.
The FCA stated that its discussions with the firms sampled suggested that the solution to the MI issue on cyber security was ānot simply providing a large quantity of detailed key performance indicators (KPIs) and key risk indicators (KRIs)ā: āToo much detail or detail without context was seen as counter-productive, as it affects boardsā ability to identify meaningful trends, particularly for those who are not familiar with cyber security challengesā.
Several asset management firms had experimented with different formats of MI on operational resilience issues, including cyber security, to refine the quality and effectiveness of the papers they gave to their board.
A summary of the reviewās work and conclusions can be accessed at http://bit.ly/FCAreview