Banks have been warned they need to “mind the gap” in their cyber security efforts to ensure branch offices understand what is required.
A report from broker Marsh on cyber risk governance for banks has found there remains a disconnect between centralised functions for foreign banking organisations and the responsibilities that reside with their UK subsidiaries and branch offices.
“Cyber risk governance – How are the UK subsidiaries and branches of non-UK headquartered banks meeting their regulatory obligations?”, is based on the broker’s research among members of the Association of Foreign Banks (AFB).
It found UK subsidiaries and branches of non-UK headquartered banks are increasing their focus on the management of cyber risk, but further action needs to be taken by local boards and management committees to ensure that UK customer and stakeholder obligations continue to be met.
Marsh found that the majority (57%) of respondents have developed a localised view of cyber risk and are able to demonstrate clearly how their local and group level cyber risk controls combine to fulfil relevant UK regulatory requirements.
Further, 83% have catalogued the group-level services on which the UK bank depends and are in the process of documenting their intragroup outsourcing service level agreements (SLAs) as required by the Prudential Regulation Authority (PRA).
However, the report found a gap between risk identification and governance, and the practicalities surrounding risk assurance and preparedness. Only 13% of respondents reported that their leadership had regular and independent visibility of how well their controls operate in practice such as by independent penetration testing, by management information highlighting issues specific to their UK bank, or by having direct access to their own specialist cyber risk experts and auditors.
Charlie Netherton, Head of Marsh Advisory and Digital, UK and Ireland, Marsh, said: “While many banks are centralising their IT functions, UK boards and management committees ultimately remain responsible for ensuring that the potential risks to the bank’s UK operations are properly understood and managed, and UK regulatory requirements are being met.
“There is a danger that assumptions could be made about how responsibility and accountability is distributed between group and subsidiary/branch level. Senior managers at group and local level need to ‘mind the gap’ and ensure that there is proper dialogue on cyber risk and operational resilience between the UK branches and the overseas parent, in order to fully meet their regulatory obligations and be prepared for cyber events.”
According to the report, there are fundamental processes that foreign banks need to address, if they are to have confidence that the cyber risks associated with their UK operations are being managed effectively:
- Understanding how differences in local-level and group-level cyber risk exposure are identified and addressed.
- Defining how intragroup responsibilities and accountabilities are defined and managed.
- Ensuring that the UK board or management committee has the right level of oversight of relevant control activities (at both local and group level).
- Ensuring that the UK board or management committee is adequately prepared to deal with major cyber events when they occur.
Dr Catherine Raines, AFB CEO said: “The report identifies several areas of good practice that can help guide individual banks to improve their cyber risk governance approach. Despite the wide diversity in size, business models, and governance structures that characterises the AFB membership, there are common themes that apply to all foreign banks operating in the UK. The cyber security threat is constantly evolving. This report will be the start of an ongoing conversation between members to share best practice in cyber risk governance and identify ways in which they can play a part in improving the security and resilience of the UK financial services sector as a whole.”