How can Boards effectively manage growing technology risks?

24 July 2024 | UK & Europe | Articles

Information security, cyber security and data privacy risks continue to form a key part of business-wide risk assessments in evaluating the impact on the adequacy of financial resources within the business, customer confidence and exposure to financial crime risks. To effectively tackle current and emerging risks, Boards are critical in driving effective policy, asking tough questions, and evidencing their approach to both developing policy and oversight of risk management to the regulator.

Regulators across jurisdictions take different approaches to supervision, however the common focus is on the use, effect, and level of reliance on technology when providing products and services to clients, rather than an assessment of the suitability of the technology itself within the business.

Boards need to strike the balance between the perceived or projected cost savings of technologies and the risk of over-reliance on automated or non-manual technological solutions, the failure of which may result in reputational damage, fines, and disruption.

While agility and efficiency are amongst key measures of success for the Board, there is a growing necessity to ensure that effectiveness of technology within the business is  properly tested and reported within compliance reporting.

As has been shown with the recent events caused by the CrowdStrike IT outage, technology risks do not always stem from “bad actors” but also from over-reliance on third party assurances or services (if untested).

What technology risks should boards consider?

Boards are expected to ensure that risks are appropriately identified and assessed under its business-wide risk assessments – including failure of systems and data security – and then monitored and controlled effectively as part of an ongoing compliance monitoring programme (CMP).

Boards are ultimately responsible for the compliance arrangements including the effectiveness of the CMP. Compliance report against the approved tests established under the CMP.

Through these arrangements, Boards must be able to evidence that effective policies, procedures and controls are in place for this purpose which is  easier said than done, considering the seemingly endless list of requirements, such as:

• Management Information – to enable effective oversight.
• Corporate governance controls – establishment of appropriate risk committees.
• Risk registers – asset; infrastructure; cyber event; data assets; breaches register; etc.
• Policy controls – acceptable use; email; password; network security; incident response; unsupported operating systems; back-up and storage policy; etc.
• Planning controls – business continuity; disaster recovery; back-up copies.
• Risk assessments – patching; vulnerability assessments (mobile devices, virtual machines, physical servers, phishing simulation click rates); third party management; and outsourcing.
• Technical controls – firewall controls, anti-virus, malware, back-up parameters, etc.
• Testing controls – penetration testing; phishing tests; business continuity tests, disaster recovery tests, back-up storage and retrievability tests; record keeping and retrievability tests.
• Horizon reporting – emerging threats and vulnerabilities (AI, ransomware, supply chain weaknesses, social engineering, etc).
• Training – security awareness; cyber and data protection/privacy.

Testing internal controls

Testing internal controls is crucial for ensuring the security and compliance of an organisation’s IT systems. Such tests may need to include:

• Regular phishing tests and security awareness reporting: Usually conducted through specialist third-party suppliers to evaluate and enhance employee awareness and response to phishing attempts.
• Cyber training and testing programmes: These initiatives aim to educate staff on cybersecurity best practices and assess their preparedness for potential threats.
• Evidence of third-party assurance: Such as accreditations from reputable external organisations to validate the effectiveness of internal controls.
• Corporate governance assurances: Demonstrating that the Board or relevant risk committee has considered legal and regulatory requirements, supported by evidence such as third-party IT security reports or assessments.
• Maintenance of risk registers: Including an assessment of the need to notify the relevant regulator, such as:
  • Cyber event register
  • IT asset register
  • Data protection register
  • Outsourcing register
• Quality of management information reporting: Ensuring comprehensive reporting on IT network security, including details on:
  • External incidents
  • Breaches
  • Lost devices
  • Data loss
  • Security events
  • Detection and response measures
  • Network monitoring controls
• Evidence of updated training logs, approved policy controls, and competent board reporting: Demonstrating ongoing training, policy adherence, and effective governance oversight.

Evidencing your approach

Upon request, Boards must be able to provide evidence to the regulator demonstrating that technology risks have been fully considered and implemented in accordance with the size, nature and complexity of their business.

The task can be made less daunting if the majority of information is contained within one quality control or operational manual (supported by additional assurance reporting). In most cases, a Security Information Report or System and Organisation Control (SOC) Report documenting how all the above risks are mitigated and controlled, alongside quarterly reporting and annual third-party assurance reviews should meet most compliance requirements.

For more information on the suitability of your current compliance arrangements, reach out to the team.

How can Bovill Newgate help?

Outsourcing of technology functions to third party service providers is an attractive, and common business model. However, without an effective SLA in place from the outset designed to mitigate failures, outsourcing models can fail with harmful consequences to your business and customers, as we have seen with the CrowdStrike IT outage world-wide headlines. Regardless of how you procure and resource, the Board remains accountable for effective oversight of these services.

We actively support clients to assess, improve and maintain their approach to managing technology risk.

We can support by providing:

• a modern compliance monitoring solution to complement your compliance function using an innovative compliance software solution called The Gateway.
• health checks and internal audits, reviewing policies, procedures and controls including the development of your business-wide risk assessments and assisting in the development of your risk appetites.
• review and development of Board management reports.