Foreign banks falling short of UK's cyber risk management expectations

UK subsidiaries and branches of non-UK headquartered banks are falling short of the expected level of cyber risk management, according to a report from risk advisor and insurance broker, Marsh and the Association of Foreign Banks.

The joint report says that while efforts are being made to manage the risks, further action is needed by local boards and management committees to ensure that UK customer and stakeholder obligations continue to be met.

The report, Cyber Risk Governance: How are the UK Subsidiaries and Branches of Non-UK Headquartered Banks Meeting their Regulatory Obligations?, which is based on research among members of the AFB, found that the majority (57%) of respondents have developed a localised view of cyber risk and are able to demonstrate clearly how their local and group level cyber risk controls combine to fulfil relevant UK regulatory requirements.

Further, 83% have catalogued the group-level services on which the UK bank depends and are in the process of documenting their intragroup outsourcing service level agreements as required by the Prudential Regulation Authority.

However, the report found a gap between risk identification and governance, and the practicalities surrounding risk assurance and preparedness.

Charlie Netherton, head of Advisory and Digital, UK and Ireland, Marsh, said: “While many banks are centralising their IT functions, UK boards and management committees ultimately remain responsible for ensuring that the potential risks to the bank’s UK operations are properly understood and managed, and UK regulatory requirements are being met.

“There is a danger that assumptions could be made about how responsibility and accountability is distributed between group and subsidiary/branch level. Senior managers at group and local level need to ‘mind the gap’ and ensure that there is proper dialogue on cyber risk and operational resilience between the UK branches and the overseas parent, in order to fully meet their regulatory obligations and be prepared for cyber events.”

Dr Catherine Raines, AFB CEO added: “The report identifies several areas of good practice that can help guide individual banks to improve their cyber risk governance approach. Despite the wide diversity in size, business models, and governance structures that characterises the AFB membership, there are common themes that apply to all foreign banks operating in the UK. The cyber security threat is constantly evolving. This report will be the start of an ongoing conversation between members to share best practice in cyber risk governance and identify ways in which they can play a part in improving the security and resilience of the UK financial services sector as a whole.”

Key findings: Cyber Risk Governance: How are the UK Subsidiaries and Branches of Non-UK Headquartered Banks Meeting their Regulatory Obligations? (Source: Marsh and the Association of Foreign Banks)

Just 13% of respondents reported that their leadership had regular and independent visibility of how well their controls operate in practice such as by independent penetration testing, by management information highlighting issues specific to their UK bank, or by having direct access to their own specialist cyber risk experts and auditors.

Only 9% have achieved the highest level of crisis preparedness for a major cyber event – with the UK board or management committee directly involved in cyber crisis exercising.

Foreign banks need to address some fundamental processes if they are to have confidence that the cyber risks associated with their UK operations are being managed effectively:

• Understanding how differences in local-level and group-level cyber risk exposure are identified and addressed.
• Defining how intragroup responsibilities and accountabilities are defined and managed.
• Ensuring that the UK board or management committee has the right level of oversight of relevant control activities (at both local and group level).
• Ensuring that the UK board or management committee is adequately prepared to deal with major cyber events when they occur.

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.