Cyber risk and Information Security are hot topics in the industry and with regulators. Whilst investment management organisations are getting better at managing their own perimeter and guarding against threats, are they doing as effective job when it comes to overseeing their suppliers and the cyber risk they present?
The Cyber Security Breaches Survey 20211 states that four in ten businesses report having cyber security breaches or attacks in the last 12 months. Cyber attacks are a significant threat to all businesses so when it comes to managing cyber risk an organisation needs to not only consider their own environment but their supplier landscape too. To achieve this there are four key requirements;
- Ensure your Supplier Governance Policy considers cyber risk from initial engagement through to exit
- Implement appropriate cyber key risk indicators and metrics with your suppliers
- Perform regular cyber specific due diligence of your supplier
- Ensure you have an incident management plan in place with your supplier if the worst does happen
Suppliers represent a large part of a financial services organisations’ Operating Model and regulation SYSC 8.1 requires them to ensure they have appropriate governance and oversight arrangements in place. The starting point for any business is to ensure that their Supplier Governance Policy requires cyber risk to be considered at the point of engaging a new supplier. It then needs to ensure that appropriate focus is given to the ongoing management of the supplier if cyber risk is identified. Remember that your policy should require you to reassess your suppliers categorisation if services change and that should include reassessing the cyber risk.
Globally the average total cost of a data breach in 2021 was $4.24 million2. Cyber risk changes the way businesses should think about categorising their suppliers. Historically, businesses focused on the impact of service failure when risk assessing a supplier. Cyber threats mean that businesses now need to consider the data the supplier is holding on their behalf as well. As an example, do any of your organisation’s third party legal or HR relationships hold personal data about your staff? Does the current supplier categorisation reflect the risk posed if that data is stolen or manipulated?
When it comes to personal information or critical business information, organisations have become much more proficient in identifying their ‘crown jewels’ and ensuring the right technical controls and oversight processes are in place to protect them. Suppliers can also regularly hold critical business information or personal information on behalf of their clients, it is therefore just as important to ensure that the oversight processes, metrics and risk indicators in place with suppliers consider these risks as well. It is very likely that today a business will have service levels and key performance indicators in place with their key suppliers. These exist to ensure that a business has their finger on the pulse of how that supplier service is performing. A business needs to ensure they have the same for cyber risk. For example, are suppliers required to inform your business about fourth party risk? Do you have an SLA around notifying your business of any changes to fourth party relationships that impact your organisation and its data?
As part of demonstrating appropriate oversight, it is important for a business to understand how a supplier manages their Information Security and cyber landscape. The starting point is to understand if the supplier aligns or is accredited with an industry standard like ISO or NIST. It is then important to spend the time understanding how they have implemented those standards. What does their control framework look like? Due diligence needs to extend into understanding how the supplier has structured their cyber approach, for example do they have an inhouse Security Operations Centre (SOC) or do they outsource it? If it is outsourced what do their oversight processes look like with that supplier? The next area to understand is how often does the supplier get external validation of their security controls and what frequency is third party penetration testing performed? Does this go as far as red teaming? Your business needs to dedicate appropriate time to understanding their supplier’s approach, control framework and assurance processes to be comfortable that their data is appropriately protected.
Whilst demonstrating effective oversight of suppliers is critical, it is not the only thing a business should be doing. It is increasingly more than likely that at some point a supplier will experience a cyber attack. It is therefore just as important to ensure that a business has the right responses in place with their suppliers if this does happen. They need to ensure that they have a cyber specific incident management plan. This should clearly set out the steps to follow and a communication plan in the event a supplier is attacked, and client data is accessed or impacted in some way. According to the IBM Cost of a Data Breach Report 20213, ‘Organizations in the study who have formed incident response (IR) teams and tested their incident response plans saw an average total cost of a data breach that was $2.46 million less than organizations that experienced a breach without an IR team or a tested IR plan.’ Appropriate resiliency planning is something that the regulator has required for several years, and cyber risk means that this is more important than ever. Having appropriate resilience plans in place in the event of an incident occurring can limit the impact on your business and ensure that you are able to continue operating whilst the supplier attempts to recover. The most effective way a business can protect itself is by planning for the worst-case scenario and ensuring that it has the processes and plans to deal with the situation if it arises.
In a world where cyber risk is changing the way we operate and manage our businesses, it is important that we do not assume that suppliers are doing just as good a job as ourselves at protecting what is important to us. We need to make sure for ourselves.
Mirador Solutions can help you ensure that you are considering cyber risk with your suppliers and help you ensure that your Supplier Governance Policy is fit for purpose, that you have the right metrics and key risk indicators in place and that you have the right response plans and resiliency models required to keep your business operating in the event of an incident.
1 Source; GOV.UK
2,3 Source; IBM Cost of a Data Breach Report 2021