Insurance broking giant Marsh and the Association of Foreign Banks (AFB) have released a 26-page report that shines a spotlight on the accountability carried by UK subsidiaries and branches of overseas-headquartered lenders for ensuring they meet local regulatory requirements when it comes to cyber risk governance.
According to the Cyber risk governance – How are the UK subsidiaries and branches of non-UK headquartered banks meeting their regulatory obligations? report, foreign banks have to address fundamental processes to ensure that cyber risks associated with their British operations are being managed effectively.
Bringing together findings from a series of interviews with AFB members, the report identified four dimensions of cyber risk governance. One is understanding how differences in local-level and group-level cyber risk exposure are identified and addressed.
Another dimension relates to intragroup responsibilities and accountabilities, and how these are defined and managed. Banks also need to ensure that the UK board or management committee has the right level of oversight of relevant control activities not only at the local but also at the group level. Equally crucial is seeing to it that the board or management committee in the UK is adequately prepared to deal with major cyber events.
It was highlighted that all of the companies interviewed by Marsh are making good progress and have recognised the need to establish the right level of in-country expertise so that UK-specific risks are identified and addressed within the group-level and local-level control framework.
However, it was found that only 9% have achieved the highest level of crisis preparedness for a major event, with the local board or management committee directly involved in cyber crisis exercising. Also, a mere 13% reported that their leadership had regular and independent visibility of how well their controls operate in practice.
“While many banks are centralising their IT functions, UK boards and management committees ultimately remain responsible for ensuring that the potential risks to the bank’s UK operations are properly understood and managed, and UK regulatory requirements are being met,” commented Charlie Netherton, head of Marsh advisory and digital for the UK and Ireland.
“There is a danger that assumptions could be made about how responsibility and accountability is distributed between group and subsidiary/branch level. Senior managers at group and local level need to ‘mind the gap’ and ensure that there is proper dialogue on cyber risk and operational resilience between the UK branches and the overseas parent, in order to fully meet their regulatory obligations and be prepared for cyber events.”
Meanwhile, as part of the report’s recommendations, Marsh outlined a set of key questions that AFB members can use to benchmark where they stand against their peers.
“The report identifies several areas of good practice that can help guide individual banks to improve their cyber risk governance approach,” noted AFB chief Dr Catherine Raines. “Despite the wide diversity in size, business models, and governance structures that characterise the AFB membership, there are common themes that apply to all foreign banks operating in the UK.
“The cybersecurity threat is constantly evolving. This report will be the start of an ongoing conversation between members to share best practice in cyber risk governance and identify ways in which they can play a part in improving the security and resilience of the UK financial services sector as a whole.”