Supplier Assurance and Cybersecurity in the Front Line for FS
Improving operational resilience has long been a goal of the banking and financial sector, and gained real focus and attention with the 2018 publication of ‘Building the UK financial sector’s operational resilience’ – the joint discussion paper by the Bank of England, PRA and FCA.
Here Jake Holloway, Chief Product Officer for Rizikon Assurance at Crossword Cybersecurity PLC, explains why Supplier Assurance Frameworks are becoming more-and-more essential in the new world of operational resilience.
More recently, the introduction of SMF24 under the Senior Managers and Certification Regime has put the ownership of resilience firmly in the boardroom. Those in the new SMF24 role need to have complete visibility of the operational risks that might exist not only in the organisation, but also within its own supply chains and partnerships. As we have seen with recent IT outages and high-profile cyber security incidents, it is not always the institution itself that is at fault, but it is them that faces the critical attention of their customers, the media and the regulators.
A new era of supplier risk management for the financial sector
In order to manage risk and build healthy supply chains in the financial sector, the right supplier assurance processes need to be in place. This could be seen as a challenge for procurement teams and the supplier onboarding process, but it reaches much further, with risk assessments needed across areas as diverse as anti-money laundering, the Modern Slavery Act, Health & Safety, GDPR and cyber security to name but a few.
Each of these areas impacts institutions in different ways, and indeed may require specialist expertise to assess the risks. Cyber security is a great example, where a weakness such as an unpatched VoIP phone or laptop, may be exploited in one supplier to reach back into the financial institutions themselves.
Normally, supplier assurance and procurement teams would stay well away from such technical and complex areas. For instance, with cyber security, where supplier due diligence requires a cyber security assessment, it’s happily handed over to specialists – whether internal or external. Any reports, risk acceptance or remediation activities are left with the specialists while supplier assurance teams focus on the core of financial risk, insurance cover, regulatory standards, governance and so on.
Building a Supplier Assurance Framework
Institutions need a different approach to reduce risks associated with suppliers, vendors and other third parties. One that combines the supplier assurance and procurement team’s approach based on good practice, controls, evidence of governance and commitments to improvement, with the deeper technical understanding of other teams. Supplier assurance and procurement teams have a far greater role to play in this than they may imagine through the implementation of a Supplier Assurance Framework.
A good framework, starts with the need for supplier assurance and other departments to gain an improved understanding about each other’s domains, objectives and responsibilities. A starting point is for them to jointly develop Supplier Impact criteria that systematically assess how much inherent risk every supplier or third party may have in that departments sphere.
Each supplier can then be measured against these criteria, and their supplier impact level established. A different approach for each level of impact should be agreed jointly and completely standardised across the organisation. For example, for suppliers with a Very High impact, the supplier should be expected to demonstrate a high level of internal controls. For cyber security, for example, this should take the shape of obtaining or working to achieve high standards such as ISO27001, IASME Governance or NIST. This means it’s the supplier’s responsibility to show a serious level of control rather than the hard-pressed cyber security team’s responsibility to dive into hundreds of hours of audit work. It also has the benefit of being easy for a non-cyber specialist to determine if the standard is present or not.
Where a technical assessment is needed, such as a penetration test or at least a “pen test” report from a credible third party, then the supplier assurance team can be responsible for managing that this takes place – handing over the responsibility to the cyber teams or external testers where needed. This ‘management of risk’ role cannot be handed over though, as tempting as it is when the talk gets incomprehensibly technical.
The approach at each level of supplier impact should also contain the ongoing levels of compliance required in order to maintain good risk management. Again, the supplier assurance team can timetable these ongoing reviews and focus on the governance of third-party risk – whether cyber, continuity, financial or regulatory.
Total risk visibility for the SMF24 role
What really helps is that the different teams involved in supplier risk start to use shared information systems to record and visualise supplier risks. We have seen users creating really impressive supplier scorecards showing a combined view of financial, cyber, GDPR, slavery and other risks all on one simple chart for each supplier. For the person in the SMF24 role, this creates a shared understanding of the totality of risk from each supplier and helps specialist teams, such as IT, and the supplier assurance team understand how their worlds fit together.
The SMF24 role completely changes the emphasis on operations from management to proactive resilience, but to achieve that the right supplier assurance framework, processes and technology need to be in place that give the boardroom the visibility it needs to control, manage and measure their exposure.