Information security, cyber security and data privacy risks continue to form a key part of business-wide risk assessments in evaluating the impact on the adequacy of financial resources within the business, customer confidence, and exposure to financial crime risks. To effectively tackle current and emerging risks, Boards are critical in driving effective policy, asking tough questions, and evidencing their approach to both developing policy and oversight of risk management to the regulator.
Regulators across jurisdictions take different approaches to supervision. However, the common focus is on the use, effect, and level of reliance on technology when providing products and services to clients, rather than an assessment of the suitability of the technology itself within the business.
Boards need to strike the balance between the perceived or projected cost savings of technologies and the risk of over-reliance on automated or non-manual technological solutions, the failure of which may result in reputational damage, fines, and disruption.
While agility and efficiency are among key measures of success for the board, there is a growing necessity to ensure that effectiveness of technology within the business is properly tested and reported within compliance reporting.
As has been shown with the recent events caused by the CrowdStrike IT outage, technology risks do not always stem from “bad actors” but also from over-reliance on third party assurances or services (if untested).
What technology risks should boards consider?
Boards are expected to ensure that risks are appropriately identified and assessed under business-wide risk assessments – including failure of systems and data security – and then monitored and controlled effectively as part of an ongoing compliance monitoring programme (CMP).
Boards are ultimately responsible for the compliance arrangements including the effectiveness of the CMP. Compliance report against the approved tests established under the CMP.
Through these arrangements, Boards must be able to evidence that effective policies, procedures and controls are in place for this purpose – which is easier said than done, considering the seemingly endless list of requirements, such as:
- management Information – to enable effective oversight;
- corporate governance controls – establishment of appropriate risk committees;
- risk registers – asset; infrastructure; cyber event; data assets; breaches register; etc.
- policy controls – acceptable use; email; password; network security; incident response; unsupported operating systems; back-up and storage policy; etc.
- planning controls – business continuity; disaster recovery; back-up copies;
- risk assessments – patching; vulnerability assessments (mobile devices, virtual machines, physical servers, phishing simulation click rates); third party management; and outsourcing;
- technical controls – firewall controls, anti-virus, malware, back-up parameters; etc.
- testing controls – penetration testing; phishing tests; business continuity tests, disaster recovery tests, back-up storage and retrievability tests; record keeping and retrievability tests;
- horizon reporting – emerging threats and vulnerabilities (AI, ransomware, supply chain weaknesses, social engineering, etc);
- training – security awareness; cyber and data protection/privacy.
Testing internal controls
Testing internal controls is crucial for ensuring the security and compliance of an organization’s IT systems. Such tests may need to include:
- Regular phishing tests and security awareness reporting: Usually conducted through specialist third-party suppliers to evaluate and enhance employee awareness and response to phishing attempts.
- Cyber training and testing programmes: These initiatives aim to educate staff on cybersecurity best practices and assess their preparedness for potential threats.
- Evidence of third-party assurance: Such as accreditations from reputable external organizations to validate the effectiveness of internal controls.
- Corporate governance assurances: Demonstrating that the Board or relevant risk committee has considered legal and regulatory requirements, supported by evidence such as third-party IT security reports or assessments.
- Maintenance of risk registers: Including an assessment of the need to notify the relevant regulator, such as:
- cyber event register;
- IT asset register;
- data protection register; and
- outsourcing register.
- Quality of management information reporting: Ensuring comprehensive reporting on IT network security, including details on:
- external incidents;
- breaches;
- lost devices;
- data loss;
- security events;
- detection and response measures; and
- network monitoring controls.
- Evidence of updated training logs, approved policy controls, and competent board reporting: Demonstrating ongoing training, policy adherence, and effective governance oversight.
Evidencing your approach
Upon request, boards must be able to provide evidence to the regulator demonstrating that technology risks have been fully considered and implemented in accordance with the size, nature and complexity of their business.
The task can be made less daunting if the majority of information is contained within one quality control or operational manual (supported by additional assurance reporting). In most cases, a Security Information Report or System and Organization Control (SOC) Report documenting how all the above risks are mitigated and controlled, alongside quarterly reporting and annual third-party assurance reviews, should meet most compliance requirements.
Paul Ford, head of Regulatory and Governanace, joined Bovill Newgate as a senior compliance consultant in 2023 following 20+ years’ providing professional services in operational, legal, compliance and regulatory roles across various sectors including the financial services in Guernsey.