Subsidiaries of UK banks and branches of non-UK headquartered banks must boost cyber risk management to close the gap between risk identification and governance in order to meet UK regulatory requirements, according to a new survey by Marsh.
Produced in conjunction with the Association of Foreign Banks (AFB), which represents foreign banks in the UK, the survey found that 57% of AFB members polled have developed a localised view of cyber risk and are able to demonstrate clearly how their local and group-level cyber risk controls combine to fulfil relevant UK regulatory requirements.
In addition, 83% have catalogued group-level services on which the UK bank depends and are in the process of documenting their intragroup outsourcing service-level agreements, as required by the UK’s Prudential Regulation Authority.
But the research found a gap between cyber risk identification and governance and difficulties around risk assurance and preparedness.
Just 13% of respondents said their leadership had regular and independent visibility of how well their cyber controls operate in practice.
And only 9% have achieved the highest level of crisis preparedness for a major cyber event – where the UK board or management committee is directly involved in cyber crisis exercising.
Charlie Netherton, head of Marsh advisory and digital, UK and Ireland, said: “While many banks are centralising their IT functions, UK boards and management committees ultimately remain responsible for ensuring that the potential risks to the bank’s UK operations are properly understood and managed, and UK regulatory requirements are being met.
“There is a danger that assumptions could be made about how responsibility and accountability are distributed between group and subsidiary/branch level. Senior managers at group and local level need to ‘mind the gap’ and ensure that there is proper dialogue on cyber risk and operational resilience between the UK branches and the overseas parent, in order to fully meet their regulatory obligations and be prepared for cyber events,” he added.
A report detailing the survey findings lists fundamental processes that foreign banks need to address to have confidence that cyber risks associated with their UK operations are being managed effectively. These are:
- Understanding how differences in local-level and group-level cyber risk exposure are identified and addressed
- Defining how intragroup responsibilities and accountabilities are defined and managed
- Ensuring that the UK board or management committee has the right level of oversight of relevant control activities (at both local and group level)
- Ensuring that the UK board or management committee is adequately prepared to deal with major cyber events when they occur.
Dr Catherine Raines, AFB CEO, commented: “The report identifies several areas of good practice that can help guide individual banks to improve their cyber risk governance approach. Despite the wide diversity in size, business models and governance structures that characterises the AFB membership, there are common themes that apply to all foreign banks operating in the UK.
“The cybersecurity threat is constantly evolving. This report will be the start of an ongoing conversation between members to share best practice in cyber risk governance and identify ways in which they can play a part in improving the security and resilience of the UK financial services sector as a whole.”