- Aravo for
- Aravo Ecosystem
- About Us
- Request Demo
In a speech last week at the Cyber Security Summit and Expo 2017, Nausicaa Delfas, Chief Operating Officer at the FCA, called out cyber risk as one of the FCA’s top priorities and noted its close intersection with supplier risk, and third, fourth and fifth party risk.
Boards need to lead the cultural mindset on security
Delfas noted that in addition to having the right technology to protect, detect, recover and respond to cyber risk, that it is important to move people into the right cultural mindset on security – and that this mind-shift starts with the Board. She astutely observed that investors play a part too. The trend here has been encouraging, she noted:
“[the FCA] has been encouraged to see that many firms within the financial sector are now treating cybersecurity as a business-led risk, with active engagement within the boardroom. We are also seeing the emergence of investment companies beginning to question the cybersecurity of the companies that they are investing in. This can only be a good thing – focus and pressure from directors and major shareholders can help drive the outcomes necessary”.
She also provided practical examples of five questions a Board should be asking:
Where risk lies beneath the surface – supplier and third-party risk
Delfas called out the role of supply chains and third parties in cyber risk exposure. Pointing to the Target data breach and the NotPetya ransomware as examples of suppliers being under the surface of cybersecurity failings, she reminded the audience that when managing supplier and third party risk, it is not sufficient merely to consider IT suppliers – but all suppliers, from air conditioning, to delivery, to advertising, to lawyers, etc.
While this can seem overwhelming, she shared innovations that the FCA are seeing in the market in an effort to manage their supplier cybersecurity risk. These included:
This was seen as a double-edged sword: it seems practical on the surface, but can add considerable burden operationally and for suppliers who are inundated with audit requests. “We end up with a world where everyone is auditing everyone else: is this really sustainable, and cost-effective?”
Delfas observed that the FCA are seeing “services emerge where intermediaries perform assessments to a commonly accepted standard within the financial sector – standardizing third-party risk management processes, focussing on vendor due diligence and ongoing monitoring. Instead of individually auditing each of their suppliers an intermediary standardizes these audits and provides firms with information about their suppliers, on an ongoing basis.”
Delfas also called out that they’d seen the rise of tools that automatically evaluate and measure the cybersecurity indicators of companies on the internet. These use publically available indicators to calculate an aggregated security score. This gives firms a sense of their suppliers’ security performance – and whether they pose a higher data breach risk, for example. This gives the means to prioritize suppliers and determine appropriate follow up and remediation associated with the level of risk. She noted that the regulator was also looking at using these tools in their own work.
Finally, Delfa noted that by applying small ‘nudges’ frequently to suppliers, such as ensuring cybersecurity is brought up regularly in conversation with them, helps set the tone that attention to cybersecurity is important and constant.
Some takeaways to consider
It’s obvious that cybersecurity, resilience and supplier/third party risk management are high on the regulator’s agenda. Here are a few takeaways from Delfa’s speech: