Financial services firms have historically been the main targets for hackers and cyber attacks, but this picture is gradually changing. According to the government’s 2022 Cyber Breaches Survey, 54% of financial and insurance firms have identified a breach in the last 12 months, compared with 52% of businesses in the IT and communications sector.
The shift to attacking the IT and communications sector is hardly surprising given the financial sector’s reliance on IT outsourcing – it's potentially creating a back door for hackers to attack lucrative targets. This approach can be seen in action through the success of high-profile third-party ransomware attacks from hacking groups such as LockBit; malware applied through software vendor SolarWinds; and exploitation of vulnerabilities such as Log4j in the third-party environment. The head of Microsoft’s Security Response Centre suggests that third-party supply chain attacks will become increasingly common.
Regulation grows around third-party risk
These statistics are particularly concerning for financial services firms, who face a raft of regulations around outsourcing and managing third-party risk, such as:
- operational resilience, including the Prudential Regulatory Authority's PS7/21 focusing on outsourcing, which aims to restore important business services following operational disruption, sometimes due to cyber attacks
- European Banking Authority (EBA) guidelines for outsourcing and the PRA's SS/21 on outsourcing and third-party risk management, which aim to improve third-party oversight by individual organisations and supervisory authorities
- EBA guidelines for ICT and security risk management, including expectations for third-party providers, and the Digital Operational Resilience Act (DORA).
While these regulations offer a more coherent overview of supply chain management processes, you can support your risk management teams by following best practice, as outlined in the National Cyber Security Centre’s (NCSC) recent guidance. This will help you develop a targeted approach to supply chain security and help maintain regulatory compliance.
What's the NCSC guidance on supply chain cyber security?
The NCSC’s guidance follows the government’s 2021 call for views on supply chain security, where 67% of respondents felt that limited visibility into supply chains formed a severe barrier to effective supplier cyber risk management. In addition, 86% of respondents saw insufficient tools or assurance mechanisms to evaluate supplier cyber capabilities as a barrier.
The 2022 Cyber Security Breaches survey supports these findings with only 34% of firms in the finance and insurance sectors monitoring cyber security risks posed by immediate third-party suppliers. While this was almost three times the national average of 13%, only 7% of businesses also assessed the cyber risks associated with the wider supply chain.
The NCSC’s guidance aims to address these concerns and offer a more cohesive framework to help businesses assess their supply chain. Its five-step approach is outlined below, building on the existing 12 principles of supply chain security.
1 Understand your business
The first step is to identify the risks to your firm and set your risk appetite. This should consider specific vulnerabilities and scenarios across your supply chain. You should also look at the impact of a successful cyber attack, including any regulatory action for personal data breaches under the General Data Protection Regulation (GDPR), or for exceeding impact tolerances under operational resilience. Gaining senior buy-in and pulling together the right team is essential to move the project forward.
Read more about Operational resilience.
2 Develop a consistent approach
Every business has its own ‘crown jewels’, or critical elements that will need the greatest cyber security safeguards. For some, this will be intellectual property or personal data. For others, it will be the ability to maintain or restore important business services under operational resilience. With these crown jewels in mind, you can create a set of tiered security profiles to assign to each third-party supplier. Each profile should allow the minimum access necessary to deliver their services and include a set of cyber security criteria that the supplier must be able to meet.
Once these are in place, you can develop a standardised plan to assess and compare your third party’s cyber security processes. If you find any incidents of non-compliance, develop a plan to get them back on track and in line with your supply chain security expectations. Finally, as per other third-party regulations, it’s important to formalise your third-party cyber security expectations during your contract negotiations.
3 Ongoing application and monitoring
At the contract award stage, it’s essential to conduct a thorough due diligence process, to include supply chain security concerns and essential cyber security standards. The procurement team may need further training to make sure the key requirements are upheld, as will the team managing the contract on a day-to-day basis.
You should embed effective controls to monitor your third-party cyber security processes throughout the duration of the contract. All third-party relationships come to an end sooner or later, so it’s important to make sure your exit plan protects all assets and prevents unauthorised access in future.
The board and senior management will need oversight of all third-party arrangements, so it’s important to develop appropriate metrics to support good governance.
4 Apply the framework to existing relationships
The NCSC suggests building a register of all third-party suppliers, which is already a requirement for financial services subject to the EBA outsourcing guidelines. A risk assessment will help you prioritise all your existing contracts. At this point, it’s important to consider critical functions for your business and important services under operational resilience.
Working with your suppliers will help identify and resolve any shortfalls in cyber security arrangements, as well as build on lessons learnt to strengthen your security framework. Once again, it’s important to keep monitoring these relationships and provide effective metrics to the board.
5 Continuous improvement
In a fast-changing cyber security – and regulatory – landscape, it’s important to review your supply chain security framework periodically to make sure it remains fit for purpose. Share any updates or concerns from this review with your third parties so they can inform their cyber security processes. Updates are likely to be ad hoc as changes arise, but more regular collaboration could be helpful, and you can request them via a supplier security management plan.
Supply chain security is already a key concern for financial services firms, and the NCSC’s guidance will help develop a robust framework for cyber professionals.
To help embed these changes to improve visibility and influence across your supply chain cyber security processes, contact Ankur Aeran.