Regulation  

Govt faces call to boost ‘headless’ cyber risk framework

Govt faces call to boost ‘headless’ cyber risk framework

The government is facing calls to create a single point of responsibility to deal with cyber risk in the financial services sector amid concerns over accountability.

Andrew Tyrie, chairman of the Treasury Select Committee has written to Chancellor Philip Hammond claiming a lack of coordination in the current cyber security system could leave the banking industry’s IT systems vulnerable to attack.

My Tyrie said the present arrangement, in which both a director-level group and a governance framework can serve as a single point to address cyber issues, resembles the "catastrophically inadequate" tripartite authorities that were set up to monitor system risk in banking in 1997.

The Conservative MP added: “The Chancellor has said that both a director-level group and a 'governance framework' provide a single point to address cyber issues in the finance sector. But who is in charge? Is it the director or does the framework take precedence? Who is he or she? A headless framework scarcely inspires confidence.

“The problem with such committees and frameworks is that all too often they only get the attention they deserve after a crisis – when it’s too late. This must not be permitted to happen in the case of financial cyber risk.

“It is essential that the intelligence community, regulators and wider government are coordinated in making sure that financial cyber crime has a high priority, and is not subordinate to other work.

“A single point of responsibility for cyber risk in the financial services sector – with a direct line of accountability to a single official, in turn accountable to a single minister, such as the chancellor – is now required.”

In January Mark Carney, the governor of the Bank of England, warned the increasing reliance on fintech platforms by the financial services industry could pose uncovered risks to the sector, leaving it vulnerable to cyber attacks and exposing the industry to financial instability.

Isarel Barak, chief information security officer of Cybereason, said: “We find some financial services providers are continuously investing in establishing a sophisticated and well-thought of cyber security program, and are on top of the evolving threats, while collaborating and sharing information with relevant consortiums.

"However, there are still many providers that are struggling to meet even the regulatory requirements, as well as providers that take advantage of some lack of clarity of the regulation to maintain a cyber security posture that is less than adequate to address current and advanced threats.

"Having a single point of responsibility can contribute to the efficacy of the required regulatory reform and update process, because, as it relates to the average service provider, those companies will not make sufficient investments in cyber security unless forced to do so by detailed and specific regulation.”

simon.allin@ft.com