Key Takeaways from 1LoD’s Resilience, Cyber, and 3rd Party Risk Deep Dive Report
Financial services firms are scrambling to digitize and scale their operations to keep up with the changing times. This means moving data and systems to the cloud, relying more on third-party vendors, and managing an increasingly distributed workforce.
While this can be great for productivity, it introduces new risk factors that need to be identified, planned for, and monitored. This is where operational resilience, or the ability for your firm, your customers, and the capital markets to withstand the shock of a breach, cyber-attack, or other disruption to your business.
Regulators recognize this importance as well. Across the globe, they are tightening their focus on how firms are managing their operational and cyber risks. Regulators want to see that firms are investing in operational resilience and have the proper planning, policies, controls, and monitoring in place to protect their customers and the capital markets in addition to their own P&L.
This was the topic of discussion at 1LoD’s recent Deep Dive forum on operational resilience, cybersecurity, and third-party risk. Attendees represented financial institutions (75%), technology firms (13%), consultancies (11%), and regulators (1%) from around the world. Speakers featured experts in resilience and cybersecurity, including ACA Aponix® Partner Michael Pappacena.
Below are some key takeaways from the post-event report published by 1LoD. We recommend downloading the full report to get a sense for what your peers are doing, how your firm compares, what regulators expect, and what you need to do to build a stronger operational resilience program.
- Regulatory scope has expanded beyond just cybersecurity to focus on broader operational resilience. While regulators have largely refrained from issuing strict requirements in this area, they have made it clear that they are concerned with how firms are handling operational resilience. They view cyber-attacks and other business disruptions as a threat to the stability of the capital markets.
- Operational resilience goes beyond business continuity planning (BCP) and disaster recovery planning. A true operational resilience program involves evaluating the likelihood of certain events happening and then understanding how they would impact critical systems and processes. These include not only your own business’ critical systems and processes, but those that are critical to customers as well.
- Resilience and cyber risks should be owned by the business. Operational resilience is an enterprise-wide effort that requires full participation and a centralized resilience function. Cyber is no longer just a concern for the IT department.
- Third-party relationships present great resilience challenges for firms. Speakers emphasized the need to understand a vendor’s cyber programs and culture to ensure they align with your own — before you even sign a contract. As ACA’s Pappacena said, “Conduct your due diligence upfront so that you get the level of detail from a supplier to help you make an informed choice. And then the key is frequent testing and validation.”
How we help
ACA Aponix® can help your firm build a stronger program for managing resilience and cybersecurity risks. We offer a range of services, including:
- Risk assessments and compliance readiness
- Operational resilience and governance
- Vendor due diligence
- Portfolio oversight
- and more
If you have any questions, please contact your ACA Aponix consultant or contact us here.