Case Study: Third-Party Risk Management
After completing this reading, you should be able to: Explain how risks related... Read More
After completing this reading, you should be able to:
With the increase of frequency, severity, and complexity of cyber-incidence, many legislative, regulatory, and supervisory bodies were formed. For instance, the G7 came up with Fundamental Elements of Cyber Security for the financial sector in October 2016. In the European Union (EU), the European Commission (EC) developed the Fintech Action Plan, which championed for convergence of ICT risk among supervisory authorities.
Operational Resilience Working Group (ORG) was an organization developed by the Basel Committee on Baking Supervisory (BCBS) to address cyber risk in coordination with other international bodies. The Committee mandated ORG to give out an assessment of the observed cyber-resilience practices at authorities and many other firms.
The primary objective of this chapter is to identify, describe and compare different types of regulatory and supervisory cyber-resilience practices across different jurisdictions based on the input of the Operational Resilience Working Group (ORG) to the FSB survey in April 2017. This report was publicly issued in October 2017. The report contained cybersecurity regulations, guidance, and supervisory practices at both national and international levels.
The Basel Committee on Baking Supervisory (BCBS) uses the definition of cyber resilience by the FS Lexicon as “the ability of an entity to continue to execute its purpose by anticipating and adapting to cyber threats and other appropriate variations in the environment and enduring, containing, and rapidly recovering from the cyber-attacks occurrence.”
Cyber resilience expectations in many jurisdictions are based on quality and IT risk guidance, outlined in various regulatory standards that communicate the jurisdiction’s expectations and promote good practice. The guidance touches on governance, IT recovery and management, information security, IT recovery, and IT outsourcing structures management. Cyber risk management is a branch of guidance on operational or IT risk guidance.
Appropriate cyber risk management guidelines are based on information security. Sizeable jurisdictions have issued appropriate guidance concerning information security. For instance:
In areas where specific cybersecurity regulations are absent, the supervisors encourage the regulated organizations to implement the international standard and use prescribed guidance and supervisory practices according to national cyber agencies’ hierarchical initiatives. Some of the primary international standards are NIST and ISO/IEC.
Some Jurisdictions, however, develop standards that must be enforced by the financial sector. For instance, the Australian Prudential Regulation Authority (APRA) is a prudential standard to ensure that the APRA-regulated organization takes measures to be cyber-resilient by maintaining information security following information security vulnerabilities and threats.
Most of the regulators have instituted guidance or regulations with different levels of maturity, which generally touches on enterprise IT risk management without including specific regulations or supervisory practices that address cyber-risk management of essential business functions, interconnectedness, or third-party management. In addressing this challenge, supervisory expectations and practices were identified and analyzed in each of the following, appropriate to governance:
Most of the regulators do not require organizations to develop a cyber-security strategy. However, organizations are expected to have a board-approved information security strategy, policy, and procedures based on the rule of effective oversight of technology. For instance, most European jurisdictions require that the cyber risk strategy be addressed by the organization-wide risk management framework and information security setting, which is monitored and reviewed by senior executives.
Jurisdictions institutes cyber-security strategy requirements through three types of non-mutually regulatory types:
A sizeable number of jurisdictions have issued guidance and requirements on the board of directors’ roles and responsibilities (BoD) and senior management. Some prioritize the BoD and senior management in overseeing the business technology risks. However, other jurisdictions regard cyber-governance as a risk that must be addressed in the existing risk management structures.
A significant number of jurisdictions, however, recognize the importance of the roles and responsibilities of the BoD and senior management in cyber governance and controls. For instance, in the US, EU, and Japan, some guidelines encourage G-SIBs and D-SIBs to enforce a well-defined and risk-sensitive management framework based on the initiatives by the BoD. Moreover, the upcoming market implements a more granular and prescriptive cyber-security arrangement.
Most of the regulators have adopted the 3LD (Three lines of defense) risk management model to monitor the cyber-security risk and controls. The banks must define the responsibilities without leaving any gaps for those who do not require the implementation of the 3LD model.
Therefore, the degree of 3LD implementation significantly varies. Thus, the first and second defense line is emphasized more than the third line of defense in almost all jurisdictions. This draws back the use of the 3LD model.
In order to maintain cyber-resilience in an organization, the staff of an individual bank should be aware of the cyber risk and the existing risk culture. Most of the regulators in different jurisdictions have laid down the importance of risk awareness and risk culture for staff and management hierarchies such as BoD and employees.
Some of the regulatory requirements include increasing cybersecurity awareness and other staff-related issues in the regulated entities. Some other jurisdictions, regulators require that cyber training should be incorporated in all phases of employment-recruitment to the termination. In the training sessions, employers may require non-disclosure clauses within the staff agreements. Moreover, some jurisdictions may require the employees to verify their credentials at regular intervals to avoid insider threats.
In some jurisdictions, regulators determine whether the banks have effective processes and controls that ensure that employees, contractors, and third-party dealers understand their roles and responsibilities to reduce the risk of theft, fraud, or misuse of the institution’s facilities.
Most of the regulators advocate for the establishment of common risk culture to ensure effective cyber-risk management.
A small number of jurisdictions highlight the controls and supervisory guidance on the cyber-security architecture. For instance, in Saudi Arabia, practices the address the cybersecurity architecture is based solely on self-assessment, which is done periodically.
The characteristics, such as skills and competencies, regulatory framework, and other range of practices, differ across jurisdictions. In some jurisdictions, they have unique IT standards that cover the IT workforce’s responsibilities and the information security functions specifically towards the cybersecurity workforce and training. The standards touch on the assessment of the team division staff expertise, the training procedures, funding, and resource allocation to a firm’s cybersecurity.
Many regulators check the cybersecurity workforce through on-site inspections, where they interact with the relevant specialist by word of mouth or by self-assessment questionnaire. The regulators also check the training sessions.
Generally, there exists a wide range of practices and regulatory expectations surrounding the cybersecurity workforce, and therefore, there are no jurisdictions that have formulated any. In other jurisdictions, the regulatory requirements and limited to supervisory goals, and there may be no assessment by the cyber-security supervisors on skills and training. However, countries such as Singapore and the UK have issued designated frameworks to certify cyber workforce skills and competencies.
The approaches used to assess cyber-resilience vary across jurisdictions. However, most of the assessment focuses on cyber risk in the context of the scale, complexity, business model, and previous findings. After that, the organizations are put into categories depending on the supervisory initiatives. A supervision program is chosen while concentrating on financial and operational matters using the existing international and national legislation.
Some jurisdictions, such as the EU, have specific guidance addressing the circumstance when a useful cyber-security review. Such practices include an organization’s assessment, results from on-site inspections or questionnaires, and incidents.
A large proportion of the jurisdiction includes conducting both on and off-site reviews ad inspections of regulated organizations’ information security control to assess if they have complied with the regulatory standards and operating in good practice. These assessments are either done as a form of general technology assessment or risk assessment, which tends to concentrate on governance and strategy, management and frameworks, controls, third-party arrangement, training, monitoring and detection, response and recovery, and information-sharing and communication.
The industry’s engagement aims to influence its behavior or get feedback and views on the regulatory work. Industry engagement can be done using conferences and other methods, ensuring the outreach of a range of regulated entities and industry participants. Some jurisdictions incorporate third-party service providers in the engagement through events with regulators, supervisors, industry, and third-party services.
The majority of the jurisdictions acknowledge the significance of mapping and classifying business services and supporting assets to strengthen resilience. Moreover, independent assurance provides management and regulations with an evolution of whether appropriate controls have been instituted effectively.
Cyber-security controls are executed via risk-based decisions against a regulated institution’s risk appetite. Conventionally, the regulated entities test information security controls applied to hardware, software, and data to prevent, detect, respond, and recover from cyber-attacks.
On the other hand, the supervisors review and challenge the regulated organizations’ methods in testing the controls and the remediation of the issues identified. This includes reviewing the survey response, threat and vulnerability analysis, risk analysis and audit report, and control testing reports such as penetration testing and health checks.
Some jurisdictions that have developed standardized penetration tests are the ECB, the Netherlands, and the UK. The tests are voluntary and funded by regulated organizations and are mostly aimed at more significant and more systematic institutions. Most of the regulated tests target a regulated organization’s protective and detective cyber-resilience, while others focus on the response and recovery abilities.
Establishing precise cyber-risk controls is as essential in building effective cyber resilience as reviewing these controls. Some jurisdictions utilize the taxonomies of controls to determine whether there are gaps in their supervisory approach coverage. However, the taxonomies differ in jurisdictions and are independent of harmonized concepts and definitions.
Evaluation of service continuity concentrates on checking whether the risk management frameworks, business continuity management strategies, IT disaster recovery arrangement and data strategies work in the same direction.
A large proportion of the jurisdictions requires the institutions to develop a framework or prevention policy, detection, response, recovery arrangement, and reporting threats. For instance, there is guidance concerning incident management in the US, identifying the source of the compromise, analysis, and classification of events, and escalation and reporting of the incidents.
The analysis of the incident response and recovery plans of a regulated organization concentrates on the plans initiated, implementation of the plans, and preservation of the data in specific actions to crucial technology.
Some jurisdictions, such as Australia and Belgium, conduct a post-incident study by discussing the response and the root cause analysis of the regulated entities with no other standard practice that could be observed.
Apart from testing, most supervisors and banks conduct training exercises and practices to prepare for responding to an incident. After the joint exercise, a summary is published to enable others to learn.
A proportion of the jurisdictions have developed methods to analyze or benchmark a regulated institution’s cyber-security and resilience. The jurisdictions herein concentrate on reported incidents, surveys, penetration tests, and on-site inspections. These metrics are non-comparable to standardized quantitative metrics for financial risk and resilience. However, they act as indicators that provide information on the regulated entities’ approach to establishing and ensuring cybersecurity and resilience.
Moreover, the supervisory authorities can depend on the regulated entities’ management information, which can differ across the entities.
Conventionally, the regulators and the regulated institutions in different jurisdictions use retrospective (backward-looking) indicators to determine a technology function’s performance. These indicators are usually presented to the Board of Directors and executives as part of management information that regulators may analyze.
The use of retrospective indicators is suitable for entities operating in a relatively stable risk environment over time and significantly independent from external impacts. However, due to the dynamism of cyber risk, it changes an entity’s response and protective changes. Despite the popularity of backward-looking indicators, jurisdictions are increasingly embracing forward-looking indicators as direct and indirect metrics of reliance. The forward-looking indicators show whether an entity is likely to be more or less resilient in the event of a risk threat.
The Basel Committee has established a mandatory or voluntary mechanism of sharing information to promote the sharing of cyber-security information among banks, regulators, and security agencies, as shown in the diagram below:
There are five types of information sharing: sharing among the banks, sharing among the banks and regulators, sharing among the regulators, sharing from regulators to banks, and sharing security agencies.
Sharing among the regulator is least observed because of the less regular features of the regulators’ information-sharing arrangement. It usually happens on an ad hoc basis at a bilateral level or within the supervisory colleges under certain instances.
The information shared by the regulators and banks may include information on cyber threats, cyber-security incidents, regulatory and supervisory responses in case of cyber-security incidents, and identification of the cyber threat. Among this information shared, information on cybersecurity incidents is broadly observed in sharing between the banks and regulators, and security agencies. Moreover, cyber threat information is broadly shared among banks.
Some jurisdictions have put in place guidelines on the sharing of cybersecurity information for more effective sharing by banks and regulators. However, in jurisdictions with observed information sharing among the banks, there is less observation of information sharing from the banks’ regulators due to the current sharing model among the banks. Hence, there is no need to share information. Simultaneously, in jurisdictions with an effective mechanism of information sharing among the banks to regulators, there is less information sharing with the security agencies due to the assignment of responsibilities for cybersecurity information processing among regulators and security agencies in a given jurisdiction.
Banks share information such as cybersecurity threats with peer banks through approved channels so that peer banks can respond on time in case of a similar threat. The regulators are not directly involved in bank-to-bank information sharing. However, they have a role in establishing voluntary sharing mechanism approaches for cyber vulnerability, threat, and incident information and may indicate imminent threats.
A proportion of the jurisdictions have developed a public sector platform for information sharing, while others encourage the private sector establishment of information-sharing organizations. For instance, Brazil, Japan, and Saudi Arabia require banks to share information among the banks through regulations and mandates. Moreover, some jurisdictions have established public or private forums or government-established centers for information sharing.
The extent of the information sharing and collaboration among the banks depends on the financial industry’s culture and the level of trust among the banks.
The information shared from the banks to regulators is limited to cyber-incidents following regulatory reporting regulations. The bank-regulator information sharing is essential because:
Different authorities develop the reporting requirements for different reasons depending on the mandate, such as consumer protection. In almost all jurisdictions, reporting of cyber incidents to regulators is mandatory with different levels of requirements and applications. For instance, all the European Union’s regulated entities must report the cyber incident to the competent authorities.
The scopes and perimeters of the reporting depend on the type of authority (such as national security) and their mandate (such as banking supervision), sectors involved, and the geographical range (such as national level). While some supervisors concentrate on the already occurred incidents, some require continuous monitoring and tracking of the potential cyber-threat because many institutions might delay reporting the incidents since they want to protect their reputation.
The reporting frameworks differ, ranging from formal communications to informal communications such as verbal updates and emails. Therefore, reporting differs in the following aspects:
The factors above reflect the difference between banks in different jurisdictions or different supervision. That is, the banks are required to fill in various types of templates with different taxonomy, reporting time frame, and threshold.
Under the information sharing, the direction of the information is always from the banks to the regulators. However, this can be changed when the regulators want to warn the entities against the incoming threats.
The regulators share the information either domestically or internationally based on relevant mandatory or voluntary information-sharing structures. Some of the information shared by the regulators include regulatory actions, responses, and measures.
The regulators’ information sharing is least observed across jurisdictions (except some ad hoc communication channels). However, information sharing among the regulators is highly encouraged due to increasing cyber fraud across jurisdictions. The regulator-regulator information sharing can facilitate timely guidance to protect the banks from these fraud schemes.
Information flows from the regulators to the banks through appropriate channels, depending on the regulator’s information from banks and other sources. Some jurisdictions, such as China and Turkey, have developed defined standards and practices, at which the regulators share the information with the banks. In the said jurisdictions, the information first flows from the banks to the regulators. The regulators then analyze the risks to the financial industry, after which they share the information the banks as required based on the risk analysis. However, when the information contains customer-specific information, the regulator shares anonymized information.
The regulators with an established regulator-bank mechanism publicly share the information through informal channels such as sharing platforms and meetings. However, when the regulator has non-public information, then the information is shared with appropriate participants through informal means. The confidentiality and anonymity of the affected organizations are maintained. Hence, the confidence and trust of the regulators are also maintained.
Some jurisdictions (such as China) have established the regulators’ mandatory requirements to share the information with the banks. However, others like Singapore supports the voluntary sharing of the information by the regulators.
Information sharing with the security agencies involves the information sharing between the banks or regulators with security agencies in a particular jurisdiction. Information sharing with the security agencies is crucial in creating awareness in the cyber threats in a timely way and improve the defense measures against the attackers.
In jurisdictions with established security agencies, the said agencies serve as the cyber threat notification focal points. Therefore, jurisdictions have established the standards and practices of crucial entities and regulators to share the cyber-security information with national security agencies. Some jurisdictions support voluntary reporting (such as the UK) while others require mandatory (such as Canada and France) information sharing.
There is no full assurance that the cyber resilience of an entity will serve it purposefully. The regulators experience this drawback concerning financial institutions and financial institutions concerning third-party service providers. Excessive use of the third-party providers proves to be a challenge to both jurisdictions and the regulated entities to have a clear view of the established controls and the level of the risk.
Third-parties are taken as follows to establish a clear understanding of the practices associated with cyber-resilience,
The link between cyber resilience and the third parties are discussed in the following lines:
There exist regulations in different jurisdictions that mandate the institutions to come up with a management and board approved outsourcing (or organizational) frameworks that outline the following:
Regulators may also require the institutions to enforce a contractual framework, where they should define the generic rights, obligations, roles, and responsibilities of the institution and the service provider.
The standard practices regarding third parties include:
A portion of international standards accepts that the institutions may, importantly, depend on the third-party interconnections other than outsourcing third parties. For instance, the ISO 27031 standard states the requirements for hardware, software, telecoms, applications, third-party hosting services, utilities, and environmental issues such as air conditioning.
Some jurisdictions require the financial institutions to sign a prior contract with their clients when they deliver financial services through the internet involving consultation and personalized data management or accomplishing transactions.
Most jurisdictions require that either prior notification or prior approval of cloud outsourcing activities through questionnaires or templates. These documents might not be similar across the jurisdictions, but they provide the documents for internal risk analysis.
The regulations and practices can be made future-proof by focusing on the products and services and new expectations for secure development and procurement. Notably, specific requirements require that the systems be designed based on security principles, bearing in mind that devices, applications, and systems will be interconnected in the future, hence vulnerabilities.
The third parties’ supervision varies across the jurisdiction, but the supervisor uses conventional tools (such as self-assessment questionnaires) to ensure that the standard expectations are met. The third-party providers can be checked using the on-site reviews and inspections, based on the formal requirement or authority or based on cooperation from service providers. In some cases, the supervisors can work directly with the cloud providers – both formally and informally – to incorporate the right to audit in the contracts for the financial industry or participate in the regulatory conferences organized by large cloud service providers.
A supervisory college model can also be established to supervise and share information concerning huge and globally active service providers such as cloud providers, assists in addressing the issues that might arise due to mandate limitations regulatory fragmentation.
For financial institutions to protect the availability and continuity of crucial business activities in cyber-attacks, the regulators mandate the financial institutions to analyze the said occurrences to design and implement appropriate plans, procedures, and technical solutions and to test mitigating measures adequately. Moreover, for a business that depends on third-party interconnections, the regulations require that the financial institutions align the business continuity plans of crucial suppliers with their needs and policies based on continuity and security.
It is a widespread practice that the regulator requires the entities to define the recovery and resumption objectives. The targeted activities and services are usually cloud outsourcing, settlement processes, or internet services.
The plans and procedures’ expectations address the tasks and responsibilities of incident management, response, and recovery in case of the threats. The information and communication need with crucial internal and external stakeholders and the needed resources, including planned redundancy, to promote the quick transfer of outsourced activities to a different provider if it is likely that the service provider’s continuity or quality will be impacted.
A large proportion of the regulators and global standards require that the financial institutions frequently test protective measures to determine if they are effective and efficient and make appropriate adjustments. Highly established regulators expect that the tests for crucial activities are based on realistic and probable threats, conducted annually where the service providers and essential counterparties are included via collaborative and structured resilience testing. These tests are then supported by the audits and monitoring activities of the outsourcing parties.
The similarities in the supervisory expectations and practices in terms of business continuity and availability are commonly seen in the entities’ standalone business continuity. These similarities could give an environment to extensively test continuity and resilience in a collaborative and coordinated form that involves a larger financial institution.
The supervisory requirements on the internal/external audit of the third parties are categorized into two:
Despite that, the current regulations are based on conational outsourcing and maybe cloud computing providers. The scope of requirements for rights to inspect and audit is majorly focused on the banking sector. Shared and independent audit reporting on crucial interconnections with the third parties promotes an effective and efficient audit approach.
Regarding the security expectations for outsourcing and cloud computing providers, entities must monitor if their providers are compliant. However, most regulations do not give a method to test or verify the extent of compliance by the providers. One of the viable methods might be bank-led or supervisor led red teaming exercises aimed at the interconnections.
The confidentiality and the integrity of the information are usually stated under general data protection requirements via requiring the contractual terms to incorporate the confidentiality agreement and security requirements for protecting the information of the bank and its clients. Additionally, the banks are required to maintain the cyber-resilience as per the CPMI-IOSCO guidance. The financial market infrastructure must design and tests its systems and processes to resume its critical operations within 2 hours of an attack and complete its settlement by the end of the day.
An increasing proportion of the jurisdictions requires cloud service providers to ensure that the information transferred to the cloud is based on contractual clause and that various cloud-specific issues should be addressed to guarantee the data.
In some other jurisdictions, regulations require that outsourcing structures comply with the legal and regulatory provisions on protecting personal data, confidentiality, and intellectual property. However, this requirement varies across jurisdictions.
According to Basel Committee’s Sound Practices (in their 2018 publication), banks may need specialist competencies to determine whether their risk functions can maintain the sufficient authority of the emerging risk linked to new technologies.
In the context of outsourcing and the management process, the expectation is that the appropriate personnel should have the required expertise, competencies, and qualifications to monitor the outsourced services/functions effectively and should be able to manage the associated risks beyond compliance.
Regulators require the institutions to recruit sufficient and qualified personnel to ensure the continuity in management and monitoring of outsourced services or functions even after the exit of a significant person from the entity or otherwise absent. If an entity lacks sufficient internal resources in know-how or number, the general requirements are that external technical resources (such as consultants and specialists) should be hired to complement or supplement the in-house personnel.
Similar to regulatory expectations, the supervisory practices also have commonalities in that the human resource and qualifications for managing third-party connections and relationships are executed in on-site inspections. In the jurisdictions where the financial supervisors can directly assess third parties, they analyze the staff’s sufficiency and qualifications and require third parties to perform background checks.
Lastly, the personnel who are certified by Certified Information Systems Security Professionals or any other institution that complies with ISO 9001 Quality Management System provides an extra assurance that the staff has the required qualifications to manage third-party connections.
Many jurisdictions require that the supervisory authority be informed concerning the material outsourcing contracts made by the regulated organization and impose conditions such as a minimum level of visibility on the outsourced functions by the regulated institution.
Apart from the notifications and the authorization, the regulated institutions are usually required to preserve an inventory of outsourced functions (for example, IT assets such as computer hardware and software) and periodic reports from service providers, majorly concerning the measurement of service level agreements and the relevant performance of controls. In some jurisdictions, sub-outsourcing is required to be visible for the regulated institutions to manage the associated risk.
The supervisory expectations of the concerned authorities on the visibility of third-party connections vary across jurisdictions. For instance, US authorities require the identification, documentation, and classification of the suppliers to address information security issues.
Assume that you are a human resource manager at a reputable bank. Your bank has advertised the supply chain manager post, which you are entrusted to shortlist the candidates based on their qualifications. Based on the Basel committee report on regulated institutions, what are the required qualifications for the candidates you should look for?
A. Certified by Certified Information Systems Security Professionals
B. Certified by an institution which is compliant to ISO 9001 Quality Management System
C. Should have considerable skills in risk management
D. All of the above
The correct answer is: D).
The personnel who are certified by Certified Information Systems Security Professionals or any other institutions that complies with ISO 9001 Quality Management System provides an extra assurance that the personnel have the required qualifications to manage third-party connections. The personnel should be able to manage the associated risks beyond compliance.
After completing this reading, you should be able to: Explain how risks related... Read More
After completing this reading, you should be able to: Discuss the process of... Read More
FRM Part I Foundations of Risk Management 1. The Building Blocks of Risk... Read More