Most board members of wholesale banking and asset management companies lack familiarity with the cyber-security problems their organisations face, according to a new report by the Financial Conduct Authority (FCA).
The report found that while firms acknowledged the importance of strong cyber-security, "there were different degrees of understanding of the many potential ways that weak cyber-security could affect business activities and lead to harm to clients and the wider markets. This was particularly the case at the board or management committee levels."
The review looked at a sample of 20 firms out of the 3,000 that currently operate in the UK financial sector. It said that companies "generally lacked board members with strong familiarity or specific technical cyber-expertise".
But the FCA found that some firms have got outside help to advise them on cyber-security, but this could hinder their own efforts.
"External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber-risks in a timely way. In some cases, it was also unclear whether firms would be able to rely on timely access to these third-party resources if there was a serious problem," the report said.
The watchdog also warned about supply-chain security, especially the role that firms play in other organisations’ supply chains. Not all firms, it noted, "appeared to have considered the risk that their firm may be used as conduits to damage other firms or connected infrastructure. Nor had they considered the risk that attacks may be motivated by attempts to commit market abuse."
Malcolm Taylor, director of Cyber Advisory at ITC Secure, told SC Media UK that good cyber-security can be understood and, crucially, led by boards in all sectors.
"It’s about risk management: understand, assess, act, repeat. Boards are good at risk management – it’s at heart what they do. It is a specialist risk, granted, but so is legal, political, physical and more. Outside expertise will, for most of the mid-tier of the economy, be essential," he said.
"This survey confirms what we in the cyber-security industry have known for some time: the cyber-threat is widely misunderstood and perhaps underestimated by some. I don’t think this is limited to these sectors, either – it’s every sector and at every level. None of this is a criticism. The cyber-threat is a new threat, it is in places deeply complex, and it is presented as almost existentially dangerous."
Stephen Gailey, solutions architect at Exabeam and former group head of security services at Barclays, told SC that many bank board’s still do not understand the cyber-threat.
"They see the information security budget and feel that they are taking action, but they don't fully engage with the CISO and his team," Gailey said.
"The reality is that whilst budgets have increased over the last ten years or so, much of that spend has focused on compliance and insider threat. The composition of these boards ensure that there is no information security experience at that level and security professionals who can translate the threats and challenges into language the board will understand are still rare," he said.