Cybersecurity is on the Regulators' Radar

The following article was previously published on FT Adviser.

Cybersecurity concerns and privacy laws have come charging to the forefront of regulation in recent years.

This year will be the year that financial companies are held accountable for failing to ensure their businesses can withstand disruptive events that could impact the broader markets.

Like most other sectors, the financial services industry is being quickly transformed by digitalisation and technology innovation.

However, as companies become more reliant on technology, regulators are keeping a close watch on how they manage their cybersecurity and technology risk.

This has led to a new paradigm: operational resilience.

Operational resilience, as defined by the Bank of England, is “the ability of firms and the financial systems as a whole to absorb and adapt to shocks, rather than contribute to them”.

Building operational resilience requires a cross-business function approach and includes how a company mitigates the risks inherent in the systems and technology it uses, whether in-house or through a third-party vendor, as well as how it responds in the event of an actual incident.

Fitting with regulation

In the same way that balance sheet resilience has been a key focus of regulators since the 2008 financial crisis, operational resilience will be the key focus for the next decade.

The rapid acceleration of technological change in financial services, combined with the potential for inadequate cybersecurity and technology risk management, has made operational resilience a global regulatory priority.

Several regulators have recently laid out their expectations with respect to enhancing operational resilience in financial services, or have started consultations as a precursor to doing so.

The focus of recent statements and consultations from the likes of the Financial Conduct Authority and the US Securities and Exchange Commission has been to broadly encourage all financial services companies to adopt cybersecurity and operational resilience best practices.

Under the FCA’s recently implemented Senior Managers and Certification Regime, for example, senior managers are ultimately responsible for their company’s operational resilience.

Best practices

Even though there are several different regulators, each building their own programmes to tackle the issue, there are several common areas that companies can concentrate on to build operational resilience. These include:

• Strategy and governance. Ensuring board understanding and sponsorship is key. Define your company’s strategy based on analysis and understanding of core business functions, together with the people, process, technology, and third-party dependencies that underpin them.
• Risk assessment and management. It is critical to encode the effective identification, analysis, evaluation and management of cybersecurity risks within your business strategy.
• Threats and vulnerabilities. Ensure that the company has a good handle on key threats and vulnerabilities such as staff awareness, third-party risk, access controls on remote access, and cloud-hosted systems. Penetration testing and vulnerability assessments will help identify issues requiring remediation.
• Incident response. It is highly likely that your company will suffer a breach at some point in time, so make sure the entire business is well prepared. It is critical to have in place a well-defined incident response plan/procedure and conduct regular simulation tests.

It is imperative the financial services industry raises the operational resilience bar in 2020 and beyond.

About the Author

Carlo di Florio is the Global Chief Services Officer of ACA Compliance Group. At ACA, Carlo is responsible for defining and executing the vision for ACA’s governance, risk, and compliance (“GRC”) service offerings. His responsibilities include oversight, management, and strategic growth of ACA’s global regulatory compliance, cybersecurity and risk, AML and financial crimes, and performance practices.

Prior to joining ACA, Carlo worked for over 25 years in executive leadership roles at PricewaterhouseCoopers (PwC), where he was a Partner in the Financial Services Risk & Regulatory Practice; the Securities and Exchange Commission (SEC), where he was the Director of the Office of Compliance Inspections and Examinations (OCIE); and the Financial Industry Regulatory Authority (FINRA), where he was the Chief Risk & Strategy Officer.  In these roles, Carlo led the design and implementation of large-scale regulatory compliance improvements, technology and data analytics transformations, and risk management program enhancements.

Carlo also serves as Co-President and Governor of the Risk Management Association (RMA) NY Chapter and as Adjunct Professor at Columbia University, Master of Science program in Enterprise Risk Management.  Carlo has been named one of the 100 Most Influential Leaders in Corporate Governance by the Association of Corporate Directors; one of the Top Trailblazers & Pioneers in Governance, Risk & Compliance by The National Law Journal; and one of the Most Influential People in Finance by Worth Magazine.