As part of an ever-increasing focus on data security, the FCA has produced an industry insights document that identifies cybersecurity governance as a key best practice that regulated firms should implement. What practical steps should your firm take to implement cybersecurity governance and minimise your risk exposure?
Awareness around the importance of data security is constantly increasing across all industries, and businesses operating in the highly regulated financial services sector are no exception. As part of this heightened focus, the Financial Conduct Authority (FCA) has once again reinforced its commitment to cybersecurity through the publication of a new industry insights document. The aim of the document is to improve cybersecurity practices amongst regulated firms, and it provides insights from cyber coordination groups (CCGs) made up from over 175 firms across the different financial sectors.
The document provides insights from the CCGs around best practices and experiences throughout a range of areas, the first of which is cybersecurity governance. At Six Degrees, we agree that governance is a key element of a robust cybersecurity strategy, and we actively support FCA regulated firms in implementing cybersecurity governance best practices.
In this blog post we will expand upon the best practices and experiences highlighted in the FCA’s document. Our aim is to provide practical advice that puts your firm in the best possible position to implement robust cybersecurity governance throughout the organisation.
Adopting a Top-Down Approach
Putting cybersecurity on the executive agenda depends on educating the board on the importance of good cybersecurity governance. This should be placed in the context of the continuing success of the firm in terms of the financial, operational and reputational impact of any breach.
Awareness is vitally important, but education needs to remain punchy, clear and concise: in our experience we’ve found that implementing robust cybersecurity governance is 30% education, and 70% buy-in. You will need examples to back up the importance of cybersecurity governance – as the FCA guidance advises, you should use case studies and incidents reported in the media to highlight potential risks and help executives link these risks to their business.
Executives will ask ‘why should I care?’, and you need to be able to make them aware of current risks and relate these back to your business to highlight their relevance. In order to support this dialogue, we highly recommend employing the services of a Chief Information Security Officer (CISO).
Whether it’s in house or virtual, a CISO will enable you to review your business processes and ensure that each risk is ‘owned’ by a named executive. Your CISO should be backed up with a governance, risk and compliance (GRC) tool that presents a ‘scorecard’ for your organisation and allows you to understand and prioritise risks. This will enable you to present this back to the board in a clear and digestible dashboard format.
Making it Simple
We can’t emphasise enough the need to use clear language and avoid technical jargon when articulating cybersecurity risks and best practices. Despite its importance, the simple fact is that cybersecurity is not the most exciting subject for many people, so anything you can do to make education and awareness more engaging and less opaque should be considered.
There are a number of cybersecurity providers who can advise you on best practices and help you to implement effective programmes that will allow you to engage and train your staff in the importance of cybersecurity and how they can help to protect your business.
In addition, cybersecurity champions are a great way to move cybersecurity governance up the business agenda. You should allocate responsible owners within each operating location and business area; they will help to influence their departments and drive cybersecurity engagement on the ground. Champions should ideally come from within each business area, and should have an understanding of cybersecurity requirements and the business objectives and corporate goals of the company as a whole.
Thinking Bigger Picture
There are many different types of malicious actor that can potentially target your business, and one size does not fit all. In insurance, for example, fraudsters are a key threat, alongside amateur attackers. Larger financial institutions, meanwhile, are more likely to be targeted by hostile nation states, organised criminals and activists. Ensure that your governance strategy fits with the wider context of your organisation and tackles the most prevalent and relevant threats.
When it comes to the links between risks and controls, we advise against over-engineering the measures you put in place – cybersecurity budgets can be hard to secure, and so you shouldn’t throw £200,000 at a £20,000 problem, for example. Ensure that you focus your resources in the areas that will deliver the greatest impact. There are lots of fancy and expensive tools out there, but an approach that prioritises the risks and puts the right basic measures in place first is likely to deliver the greatest return on your investment.
Standards such as ISO 27001 and Cyber Essentials Plus provide good practice frameworks, allowing you to benchmark your firm’s cybersecurity posture. Just remember that these standards provide minimum best practice measures; attaining one or more standards does not in and of itself make your firm secure.
Implementing Robust Cybersecurity Governance
The cybersecurity threat landscape is constantly shifting, and the FCA continues to reiterate the importance of cybersecurity to all regulated firms. Cybersecurity governance is a key aspect of any business’s security preparedness, and to implement governance throughout your firm you will need representation and engagement from the top down.
But if there is one thing we’d like you to take from this blog, it’s that all firms should have a CISO or virtual CISO (vCISO) in place. Your firm needs dedicated personnel with no conflict of interest to hold security responsibilities and protect you against both external malicious actors and insider threats.
If you’re keen to benchmark your firm’s cybersecurity preparedness, take our cybersecurity quiz. It only takes five minutes, and will give you a snapshot of where you are and what steps you can take to improve your cybersecurity posture.
You can also find out more about our vCISO services, delivering experienced, senior security professionals into security conscious organisations, by getting in touch with us.