From December 2019, the revised Senior Managers and Certification Regime (SMCR) framework will come into force. Along with the many new responsibilities and accountabilities, Senior Stakeholders need to understand that they may be partly, or fully, responsible for any cyber breaches that occur. Indeed, a failure to act proactively across the Information Security function could be construed as a breach of the conduct rules. Given the short timescale, what can you do to ensure that your firm, as well as other accountable executives, are ready for the deadline?
Understand
With over 90% of all cyber security breaches due to human error, it's safe to say that mistakes in the workplace are more than costly. This, together with sometimes outdated or badly implemented technology and processes, means that it is “WHEN” rather “IF” an event occurs. Understanding not only preventive measures, but also the potential ramifications, is key to managing Cyber Resilience successfully. The need for having the right people in place, asking the right questions at the right time, is business and risk critical.
Plan
For starters, we advise reviewing the CBEST security exercise from the Bank of England. Whilst focused on the technical side, it provides an accurate representation of how secure your systems are, and identifies any weaknesses which need addressing. The following Bank of England CBEST link may be of use: https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/cbest-implementation-guide
In addition, experts in the field advise that a full process mapping program is conducted. This may help to identify where human weaknesses in the chain may occur. Training will almost certainly be required to mitigate risk. Your CIO, COO, CISO should be able to evidence these, together with a plan of action. It goes without saying that your CRO should have full oversight. The following link may be of use: https://www.cyberessentials.ncsc.gov.uk/
Adapt
Ensure you have enterprise wide programmes running to address any weaknesses, and that these are owned by an ‘accountable executive’ on the senior Leadership team or ExCo. The threat is ever changing, so it is best practice to ensure this becomes part of BAU. Also run regular simulations to understand what the most effective and appropriate responses are. Should the worse happen, you need to be able to evidence to regulators that you have taken all reasonable steps to protect the organisation and its clients. Other stakeholders are also important to consider. Being able to show preparedness to the media or other external influencers is important to manage reputational risk.
React
Marriot, British Airways, Equifax and Facebook were some of the largest Cyber breaches of last year. Cybersecurity experts agree that with the right protection, most data breaches are avoidable. However, if your company does become the next Equifax or Facebook, the manner in which both firms and senior individuals react is critical to the longer term survival and rehabilitation of the brand. The example of TSB, whilst not a malicious data breach, serves to underline how not getting in front of the issue can be damaging to both organisation and careers.
How can Norman Broadbent Interim Management Help?
As a trusted partner to senior leaders for a number of years, our network of Interim Professionals is there to support, supplement and often lead business critical programmes. Bringing someone on board that has “been there, seen it, and done it” on numerous occasions and in different environments, can be the difference between success and failure. With Cyber Resilience, there may be no more important issue the organisation should address.
And as the holder of the SMF authorisation, the buck may stop with you!
If you would like to find out more about how Norman Broadbent’s Interim Management Network can support you, or discuss a specific assignment, please do not hesitate to contact Mike Davies, Director, on +44 (0) 207 484 0000 or via mike.davies@normanbroadbentinterim.com for an initial confidential discussion.