Asset Managers and Cybersecurity Risk Management Practices – Central Bank Update

Boards and Senior Management are not sufficiently prioritising a robust cybersecurity culture and cybersecurity risks are not adequately considered when developing the business strategy.

The CBI identified deficiencies in the governance of cybersecurity policies, including in firms’ oversight of Group or third party cybersecurity service providers.

Firms should have a comprehensive, documented and Board-approved IT and cybersecurity strategy, supported by sufficient resources and aligned with the overall business strategy.

Firms’ Senior Management should ensure that there is a well-defined and comprehensive IT and cybersecurity risk management framework in place that provides effective oversight of IT related risks and gives assurance to the Board regarding the management of these risks within the firm.

Firms make limited, and in some cases no use of defined quantitative metrics in Management Information for monitoring, reporting on and measuring cybersecurity risk exposures against the approved risk appetite statement.

In general, Boards do not receive sufficient reporting on cybersecurity and other technology risks, for example, regarding trends in a firm’s level of security risk incidents / near misses.

The CBI also observed conflicting reporting lines in some instances regarding cybersecurity risk personnel, where they reported to senior first line of defence positions, resulting in a lack of independent challenge on cybersecurity risk.

Firms should implement, maintain and communicate an appropriate cybersecurity risk management framework that includes risk identification, assessment and monitoring, the design and implementation of risk mitigation and recovery strategies, and testing for effectiveness.

Cybersecurity risk assessments should be conducted at regular intervals, at least annually, and should be comprehensive, considering internal and external sources of risk.

Assessments should have appropriate parameters for evaluating and prioritising risk, such as risk likelihood and potential impact on the business operations of the firm.

Firms were unable to demonstrate that there was a single, complete IT asset inventory solution in place. As a result, firms are not fully aware of all the hardware, software, and data assets on their networks and therefore cannot assess the associated risks in a holistic manner.

Firms should establish and maintain a thorough inventory of IT assets, classified by business criticality, to support an effective IT Risk Management framework.

A process (for example, a business impact analysis) should also be in place to regularly assess the business criticality of IT assets and assess the associated risks in a holistic manner.

Configuration baselines for IT assets should be established, with divergence from the baselines identified and managed appropriately.

The following deficiencies were identified in firms’ vulnerability management processes:

• inadequate vulnerability management planning and mitigation activities;
• frequently, either incomplete or unknown coverage of vulnerability scans; 
• in some cases, failure to use vulnerability scanning tools to identify devices that deviate from the security baseline.

Exposure to vulnerabilities should be assessed on a continuous basis, on the entirety of the IT estate, and include identification of external and internal vulnerabilities.

Robust safeguards should be in place, including a proactive patch management process and a comprehensive configuration hardening activity, to protect against cybersecurity threats.

Firms were unable to demonstrate that security events from all pertinent systems and devices are collected by and analysed in the Security Information and Event Management system (SIEM).

Firms did not evidence sufficient oversight for outsourced Security Operations Center (SOC) services.

Cybersecurity management activities should address the timely detection of security events and incidents, ensure comprehensive monitoring of all assets containing or processing critical data, and assess the potential impact to the business.

Regular reviews should take place to assess the effectiveness of detection processes and procedures.

Cybersecurity incident response and recovery plans were incomplete and / or not actionable. Issues identified included plans that were in draft, were not complete, had not considered key scenarios or were not part of a formal incident management framework. Furthermore, in some cases, the cybersecurity incident response and recovery plans were not tested.

Firms should have documented cybersecurity incident response and recovery plans in place that provide a roadmap for the actions the firm will take during and after a security incident. Incident response plans should address, inter-alia, roles and responsibilities of staff, incident detection and assessment, reporting and escalation, as well as response and recovery strategies to be deployed. Communication with relevant external stakeholders, including customers and the Central Bank, should also form a part of the response plan.