Our latest report ‘From Cyber Security to Operational Resilience’ examines the cyber risks facing financial services, the current landscape and future directions of cyber regulations, and the business responses needed to safeguard the resilience of financial institutions and systems.
The ten-year anniversary of the collapse of Lehman Brothers is a poignant moment to predict the culprit of the next financial crisis. This time around pundits are pointing their fingers not at a credit crunch but a cyber attack.
We are, after all, in a very different landscape: the past decade has seen a major shift in business and operating models in financial services following the “tsunami” of regulation and digital transformation. Prudential regulatory reforms have resulted in a more liquid and well capitalised financial sector, but the digitisation of finance has introduced new systemic risks – most notably cyber.
In its 2018 Risk Report, the World Economic Forum (WEF) cited cyber security as the biggest source of technology risk facing businesses worldwide, while the Centre for Strategic and International Studies (CSIS) put the economic cost of cyber crime worldwide at $600 billion – equivalent to a 14% tax on the digital economy.
Financial services are in the firing line when it comes to cyber attacks. Professional cyber criminals seek high-value targets, such as banks, while state-sponsored activities are now adding to the growing array of cyber threats. At the same time, supply chains in financial services are outgrowing firms’ and regulators’ oversight, introducing substantial cyber risks through third and fourth parties.
Adding to the financial sector’s vulnerability to cyber risks, the systematic importance of large financial institutions and critical market infrastructures also amplifies the macro-stability implications of any cyber breach.
Regulatory scrutiny has been ramping up in recent years: 41 out of the 56 existing cyber-related supervisory documents were introduced since 2016.2 A further 72 percent of G20 jurisdictions have reported plans to issue new regulations, guidance or supervisory practices that address cyber security in the financial sector over the coming year.
The UK regulators have been a leading force in treating cyber security as an integral part of operational resilience. The Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have been clear in stating that operational resilience is a priority for the supervisory authorities, and is viewed as no less important than financial resilience.
The evolution of CBEST as a testing framework bears this view out. The introduction of a new, designated Senior Manager Function (SMF24 – Chief Operations) in November 2017 further reinforced the shift to viewing cyber security as a Board-level responsibility and an expanding dimension of operational risk.
Intensified prudential scrutiny – and potential capital charges – over cyber resilience is not inconceivable. Financial institutions should wake up to this prospect and start seeing cyber risks not just as a matter for the IT department, but also as a business critical consideration in optimising capital allocation and the whole enterprise risk management framework.
Ultimately, as financial institutions accelerate digital transformation, they need to safeguard themselves from both the increasingly complex threat landscape externally and the risks associated with their own digital innovations. This calls for cyber risk management to be driven by firms’ business strategies and objectives.
The financial services sector is embarking on the journey from cyber security to operational resilience – but doing this well requires a more strategic and coherent response from both financial institutions and their regulators. To start, they need to understand that cyber resilience is not just a cost of doing business, but also an enabler for growth.
For more information contact:
Phone: +44 (0) 207 100 7575