Out-Law / Your Daily Need-To-Know

Firms advised to assess their suppliers' cyber resilience in the same way they do their own

20 Nov 2017, 2:31 pm

Financial firms should assess how resilient their suppliers are to cyber risk in the same way that they evaluate their own cyber resilience, a UK regulator has said.

Nausicaa Delfas, chief operating officer at the Financial Conduct Authority (FCA), said that firms should review the way all their suppliers "handle sensitive information", not just those that provide IT services.

"Consider them in the same light as you consider your own security, through the full lifecycle of the relationship, including pre-contract planning, due diligence, in life contracting, monitoring and end of life termination phases," Delfas said. "This can be a challenging task, but we are encouraged to see firms seeking and applying new and innovative tools and techniques being applied in the management of the risk."

Some firms are leaning on assessments from intermediaries and automated tools as ways to satisfy themselves that suppliers are addressing cyber risk appropriately, she said.

"We are seeing services emerge where intermediaries perform assessments to a commonly accepted standard within the financial sector – standardising third party risk management processes, focussing on vendor due diligence and ongoing monitoring," Delfas said. "Instead of individually auditing each of their suppliers an intermediary standardises these audits and provides firms with information about their suppliers, on an ongoing basis."

"We are also seeing the growth of tools that automatically evaluate and measure the cyber security indicators of companies on the internet. They use publically available indicators to calculate an aggregated security score. This gives firms a sense of their suppliers’ security performance – and whether they pose a higher data breach risk, for example… Potentially these tools provide a convenient way to prioritise your suppliers and determine which might need additional follow up," she said.

Speaking at the Cyber Security Summit and Expo 2017 last week, Delfas said the FCA does not consider cyber risk to be "a purely technical issue" and said firms need to "move people into the right mindset on security" as well as have the right processes in place to be able to "recover and respond" should a cyber incident occur.

Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said recently that businesses that experience cybersecurity breaches should follow an organised workstream to manage those incidents successfully.