From the 31st March 2022, operational resilience rules and guidelines came into force for many organisations within the financial services sector. In this blog I will explore how the new rules and guidelines include cyber resilience specifically, as they come with a mandate that over the next 3 years full mapping and testing must have been completed on all aspects of operations.
The Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (the Bank) jointly released the ‘Operational resilience: Impact tolerances for important business services’ paper in March 2021 to encourage a cohesive approach to operational resilience. Through consultation the proposed requirements and expectations for firms were for them to: Identify important business services and understand the risk to disruption of these services; set tolerance levels for each important business service; and, ensure continued delivery of each important business service within the defined tolerance levels in case of severe events.
The operational resiliency rules came into effect on 31st March 2022.
As defined by the Bank, operational resilience extends beyond business continuity and disaster recovery, robust plans must be in place to deliver essential services no matter the disruption, this includes cyber attacks which can be the most challenging for many as it is the known and unknown threats and risks. Cyber assessment tools have been designed to assist, CBEST and CQUEST, which are being reviewed by many organisations and not just those within the financial services sector to provide a valuable snapshot of an organisations cyber resilience capability.
As discussed by Lyndon Nelson (Previously a Deputy CEO & Executive Director, Regulatory Operations and Supervisory Risk Specialists at The Bank of England until June 2021), “addressing cyber risk is to put oneself inside an Escher drawing and in particular the Penrose steps where we are constantly walking up the stairs and not reaching the top. This is the nature of the risk. It has a conscious opponent determined like a liquid to pour through cracks and find the lowest level of your controls and exploit them. If the risk adapts, then so must the response.”
So, whilst many organisations have built resilient IT environments, seeking High Availability or the benefits of cloud based operations, the challenge remains for cyber resilience when testing against emerging unknown cyber threats that provide significant risk to operational resilience. It is no wonder the Financial Conduct Authority (FCA) have called out specific measures around Cyber Resilience.
Under Principle 11 of the FCA’s Principles for Businesses, organisations have a requirement to work with the FCA and disclose in a reasonable timeframe if there has been an incident that:
- results in a significant loss of data
- results in the unavailability or control of your IT systems
- affects a large number of customers
- results in unauthorised access to your information systems
Having spent a number of years working with various organisations in the industry, there are three key areas where I believe the focus needs to be to provide the upmost protection and highest level of cyber resilience to support operational resilience and reduce an organisations risk. These three key areas are: Process; People; Technology.
Processes can sometimes be the hard part to define, but there are guidelines and certifications which can help. The National Cyber Security Centre (NCSC) refer to Cyber Essentials and Cyber Essentials Plus as a certification which focuses on five key controls for cyber resilience (Firewalls, Secure Configuration, User Access Control, Malware Protection, Patch Management). The NCSC claims that when these controls are implemented correctly they can prevent around 80% of cyber-attacks.
Another certification widely used is ISO27001.
Although Cyber Essentials and ISO 27001 do complement each other, they also have specific individual needs. ISO 27001 certification takes into account all information whether it be paper, systems, or digital media whilst Cyber Essentials protects the data and programs on networks, computers, and elements of IT infrastructure.
ISO27001 has a specific section around measuring effectiveness and it is usually one of the areas that trips most organisations up. Unless you have clear and tangible reporting then how does a Board know that their organisation is truly cyber resilient? Without this, the only options are a subjective risk assessment on a spreadsheet, or a more objective annual penetration test or external certification audit through Cyber Essentials or ISO27001. As we know, an annual audit and verification simply is not sufficient in today’s world.
So, a combination of process certifications and best practices provide a level of comfort to potential customers, suppliers and investors, however it does not eliminate what is possibly one of the greatest risks, The Human Factor.
In a 2021 survey the UK government revealed that of the 654 businesses that identified a breach or attack 83% were breached due to a phishing attack.
Whilst there has been development of more sophisticated anti-malware and threat detection software, the cybercriminals of the world understand that the effectiveness of these measures are only as good as those who use them and deploy them.
People do not have to be the weakest link though, they can actually be your greatest asset. The way to make them the greatest asset is with the right support and ensuring that a business has the data and technology available to support them.
Data in relation to people is the factual data about the effectiveness of awareness training and simulated phishing attempts. Can an organisation truly understand how competent their staff are by having just an annual compliance test that people can guess and muddle their way through? What extra measures are being taken and how is it being recorded? Are you truly seeing the effectiveness of your training? Are your phishing attempts being spotted by every user? The protection of any business will be bolstered with a regular schedule of awareness, learning, simulations and most importantly tracking of the effectiveness of these measures.
As mentioned, investments in technologies and software development is a continual effect due to the everchanging cyber risk landscape. Gartner estimates that spend on information security and risk management will total $172 billion in 2022 with more than half of the spend relating to technology spend. This investment in technology is key to minimising risk and increasing resilience, but this investment alone will not be enough without the skilled services to manage the technology effectively. Skills shortage and skill gaps cause a problem which once again relates to the people side being the greatest heroes or the weakest links.
There is a demand in the market to invest in the technologies and tools that can feed Security Operation Centres (SOCs), but is the investment there in the SOCs themselves? A view of many, if you cannot afford the internal personnel to operate a SOC, is to take the more cost-effective approach of outsourcing to experts. According to the Cyber Security Breaches Survey 2022 by The UK Government, nearly 40% of businesses have an external cyber security provider, with this number expected to rise. In this same survey a review of how organisations are following the NCSC’s 10 step guidelines is reported and some of the numbers tie heavily back into lack of Process, People & Technology. Some of the key figures: 41% of businesses have at least two cyber security policies or strategies; 29% train staff or do mock phishing exercises; 37% have proper vulnerability management in place and 44% have tools to monitor for any log breaches. Less than 50% of businesses have taken any action on five or more of the 10 steps
The final piece to this cyber resilience jigsaw, is whilst you may be satisfied that your Process, People & Technologies have improved your cyber resilience to an acceptable level, what about that of your supply chain? Supply Chains are often key to the resilience of an organisation, so it is also important to have a clear understanding of the Cyber Resilience of your supply chain. The concern is overwhelming when referring to Cyber Security Breaches Survey as only 14% of businesses monitor risks from suppliers or the wider supply chain.
It is becoming more common for organisations to demand a base-level of cyber security measures to be implemented before conducting business with a supplier. It is important for organisations to implement such policies in order to reduce the risk posed from those that you conduct business with.
In summary, to increase operational resilience an organisation cannot ignore the cyber risks that they face. All measures should be taken; ensure full technical controls are in place, increase employee awareness, adhere to set information security standards, and monitor your supply chains security measures. Research tells us that it is not a question of IF but WHEN an attack will happen to an organisation, so it is imperative to do everything you can to mitigate the cyber risk that your organisation is exposed to and know how effective your cyber resilience really is.
Written by Sean Tilley
Sean is the Sales Director at norm. He brings decades of experience to his role having worked in managed IT sales for 22 years. Sean is responsible for driving new business acquisition and scaling business operations in the UK with particular focus on smartbloc. the fully managed cyber security service from norm.