Monitoring third party’s cybersecurity is a growing concern for banks, according to Paul Williams, senior technical advisor, operational risk and resilience at the Bank of England (BoE).
“Cyber has been a key topic for the entire duration that I have been in the role at the bank, which has been five or six years,” said Williams, speaking on a panel at Sibos in London last week. “My view is that managing third parties, managing supply chain assurance of a third parties, fourth parties, fifth parties and understanding that problem is likely, and certainly from the discussions I have had with the industry, is creeping up as one of the bigger worries.
“It is easy to get dragged into the policy of despair at that point even on an institutions’ basis, and so there are so many third parties, and the relationships are so complex we don’t know how to deal with those,” he said.
On May 14, the BoE’s director of supervisory risk specialists, Nick Strange gave a progress report on operational resilience, and announced that the Financial Policy Committee (FPC) would have an upcoming stress testing pilot on payment systems.“
The FPC has indicated that it will establish a tolerance for the amount of disruption to the delivery of vital services, setting this tolerance at the point after which it judges that disruption would begin to cause material economic impact,” said Strange. “And where we will expect firms to test their own impact tolerances, the FPC will ask firms to test its tolerances too in severe but plausible scenarios.”
Later in the discussion, Williams said he wondered if “third party concentration risk is a red herring, particularly in the context of operational resilience.”
“Cloud service providers bring enormous benefits of scale and the resilience of the financial system in the UK can leverage that scale if implemented correctly,” he said. “It is possible that there may be more benefits from adoption of that infrastructure at scale than there are negatives from it.”
Conversations at global cyber security forums are beginning to shift, said Williams as key regulators and standards bodies are acknowledging the importance of operational resilience in defending against cybersecurity threats.
“The key to successfully defending cyber attacks is to have an effective operational resilience strategy,” said Williams. “That has allowed the cyber debate to be less of a concern because we didn’t understand it, and now we know why it is a concern, and what we need to be doing to fix this.”
For Mark James, head of cybersecurity practice EMEA at Oliver Wyman, there has been growing unease around internal threats – that staff or third parties would do things that would put the bank at risk.
“I think a lot of senior management time has been spent in insuring that those internal controls are as strong as they need to be,” said James.