This document discusses cyber resilience and third party risks in financial services. It focuses on three areas: 1) Measurement - obtaining independent and timely data on suppliers' cyber posture compared to peers. 2) Mitigation - engaging suppliers to identify exploitable vulnerabilities to reduce risks. 3) Management - implementing governance dashboards to show executives how the firm compares to competitors on issues like breach response capability. Throughout, it provides examples of suppliers that have been breached and emphasizes the importance of continuously monitoring key suppliers' cybersecurity.

1. Cyber
Resilience
focussed on 3rd Party Risks in Financial Services
Kevin Duffey
Managing
Director
November
2020

2. Measurement, Mitigation & Management of Cyber Risk
should be as objective, timely & dynamic as for Market Risk

3. 1. Measurement: obtain independent, objective, & timely
data on the cyber posture of your material suppliers, vs peers
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Oct 2020: European IT services group Sopra Steria hit by Ransomware.
Supplier to HSBC, RBS, Bank of China and Crédit Agricole says it is "working hard for a return to
normal”
The firm issued a terse statement confirming a cyberattack on its IT network on 20th October.

4. 2. Mitigation: engage your material Suppliers to show
what hackers can exploit, to reduce risks across suppliers
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Microsoft
Finastra
Equifax
HIS Markit

5. 3. Management: implement Governance dashboards that
show Execs how your firm compares with your competitors
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Breach Response
Capability Maturity

6. Today’s Cyber Environment
“The NCSC handled over 3x as many ransomware incidents as last year”
3rd November Highlights of the year for UK’s National Cyber Security Centre

7. Example:
Ransomware hitting supplier of Covid vaccine
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Oct 2020: Covid-19 vaccine manufacturing delayed by ransomware
Drug production by generics firm Dr Reddy “briefly” delayed by ransomware in USA, India, Russia &
UK
Dr. Reddy’s Laboratories isolated all data centres
and stopped some production, according to media reports on Friday, 23rd October.

8. COVID-19 Vaccine delayed by Ransomware attack in October
Astra Zeneca’s supplier of clinical trials, IQVIA, was hit when its supplier ERT was breached
On 4th October 2020, the New York Times reported that Astra Zeneca’s
supplier of clinical trials, IQVIA, had been impacted when its software supplier
ERT was breached by Ransomware. This graph shows IQVIA’s own failing
score on Patching Cadence over the months before the breach.
This graph shows ERT’s failing
score on Network Security over
the months before the breach.

9. Fiona van Echelpoel
Deputy Director General, European Central Bank, October 2020
During Covid19…
“The Covid-19
outbreak brought
ransomware attacks,
culminating in the
death of a patient
due to an attack on a
hospital.
“Ransomware
attacks have
tripled.”

10. October 2020:
Increased number of organizations are paying ransoms

11. Special Advisory from US Treasury Department:
“the severity & sophistication
of ransomware continues to rise”

12. Special Advisory from US Treasury Department:
“paying ransom may contravene US law,
including the Trading with the Enemy Act"

13. During Covid19…
“significant cyber
events have
impacted 3rd
party providers,
which highlights the
importance of
understanding the
operational
resilience of
key 3rd party
suppliers."
Nick Strange
Supervisory Risk Specialist, Bank of England, Oct 2020

14. Question for Delegates
What are the key 3rd party suppliers to the
UK’s Finance Sector, that either:
• have been breached in 2020, or
• you worry might be breached in 2021?

15. Question for Delegates
What are the key 3rd party suppliers to the
UK’s Finance Sector, that either:
• have been breached in 2020, or
• you worry might be breached in 2021?
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.

16. Jan 2020: these banks hurt by Ransomware

17. Jan 2020: these banks hurt by Ransomware
The Ransomware hit their supplier, Travelex

18. Jan 2020: these banks hurt by Ransomware
The Ransomware hit their supplier, Travelex

19. Online, real-time reporting before breach
CurrencyFair
Transfast
Torfx
One World
MoneyCorp
PayPal
Travelex
Impact tolerances at a dozen UK Banks were breached in Jan 2020,
as their travel money provider Travelex was breached by cyber attack.
Travelex had said it “conforms to ISO27001” & has “robust data privacy”.
Leading CROs had the facts graphed above, before the breach. 19
Travelex was breached after a year of worse cyber posture than peers

21. Application
Security
Vs peers
Network
Security
Vs peers
Patching
Cadence
Vs peers
Finastra breached “while we
focused on emergency plans for
operating under Covid-19”
- CEO statement
Finastra’s security team had
pushed to fix known security
issues but were “over-ruled
by senior managers”
- Bloomberg
Leading CROs had real-time facts
before the breach.
Breach happened in March 2020
while “focused… on Covid-19”
21
Online, real-time reporting before breach

22. Online, real-time reporting during COVID

23. October 2020
37% are increasing
spend on Data Security
53% of those expect
their bigger spend on
security to outlast Covid
How suppliers are changing under Covid
The Good News

24. Published October 20202: survey of 330 organisations
How suppliers are changing under Covid
The Bad News
24% are decreasing spend on Data Security
Do you know which of your suppliers are doing that?

25. #1: = Supply Chains
October 2nd, 2020
So no surprise that Supply Chains are now focus

26. Richard F Smith, former CEO of Equifax

27. Engaging Key Colleagues is right start
Barrie Millett, Group Head of Operational Resilience, Wesleyan Group
27
March 8th, 2019

28. Engaging Key Colleagues is right start
Barrie Millett, Group Head of Operational Resilience, Wesleyan Group
March 8th, 2019
Equifax Used What their Internal Auditors Called
an ‘Honor System’ for Patching Vulnerabilities.
“Equifax had no formalized method of validating the successful installation
of patches. Audit referred to this approach as an ‘honor system’in which the
IT team would notify the security team once patches were complete.”

29. What does an
“honor system” for
patching look like?

30. What does an
“honor system” for
patching look like?

31. What does an
“honor system” for
patching look like?

32. Example Dashboards for Cyber Resilience
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.

33. Question for Delegates
If you want to try the Cyber Risk
measurement Dashboards, write
your name.
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.

34. The PRA Paper: CP30/10
34

35. The PRA Paper: context
35

36. The PRA Paper: context
36
Operational Resilience - Key Concepts
Operational Resilience is the ability to prevent, adapt, respond to, recover and learn from operational disruptions.

37. The PRA Paper: content
37
Responses are
requested by
October 2020
This CP is
relevant to
almost all UK
Firms
Complete
Outsourcing
Register by 31
Dec 2021
Builds on EBA &
EIOPA
Guidelines +
TSC reports
Proposals in SS
summarised:
Definitions &
Scope.
Proportionality,
Governance,
Record Keeping,
Materiality.
Due Diligence,
Agreements,
Data Security,
Info Rights.
Sub-Outsourcing
Business
Continuity &
Exit Plans
Systemic Risks
The PRA’s Duty
to Consult
PRA’s Objectives
Regulatory
Principles
Treasury Goals
1. Intro:
Set expectations
on Outsourcing
& 3rd Party Risk
This SSxx/20
Complements SS
on Operational
Resilence
4. Governance:
Robust info for
Board oversight
& challenge
Required
Contents of
Policy & of
Record Keeping
3. Proportionality:
Firms below
Category Two
can outsource IA
2. Definitions
A 3rd Party has
contract to
provide service
5. Pre Outsource:
Materiality (vs
Threshold
Conditions)
Automatically
Material if 3rd
Party could
impact TCs/FRs
Consider…
IT & cyber
security controls
+ breach impact
6. Agreements
Set… minimum
cybersecurity
requirements
Ongoing monitor
of effectiveness
of supplier’s
security controls
9. Sub-Outsourcing
At minimum,
monitor key sub-
outsourcing
providers.
10. Continuity
Consider
deliberate
cyber-attack.
Stressed Exits.
Governance
and Testing of
Plans
Contingency
Plan best
practices, eg
Step In Rights
Appendix
Guidance on
Outsourcing
Register.
8. Audit Rights
Online, real-time
reporting tools
are strongly
encouraged.
7. Data Security
Implement
protection of
outsourced data

38. The PRA Paper: content
38
The first third of the Consultation Paper provides context and
commentary for the draft Supervisory Statement that follows.
The second two-thirds of the Consultation Paper is the draft
Supervisory Statement to be published in 2021 after consultation.

39. The PRA Paper: content
39
The first third of the Consultation Paper provides context and
commentary for the draft Supervisory Statement that follows.
The second two-thirds of the Consultation Paper is the draft
Supervisory Statement to be published in 2021 after consultation.

40. 21
Bank of England PRA Consultation Paper
on 3rd Party (Cyber) Risk Management

41. 41
GDPR, Article 32
“Taking into account the state
of the art…
… Controllers must have a
process for regularly testing,
assessing & evaluating the
technical measures for
security at information
processors.”
Only leading firms are obeying existing law

42. Equinix Breached, after a year of poor cyber security
Sept 2020: Equinix - leading data centre provider - breached
Operating in 25 countries, Equinix was reported to have paid ransom on 16th Sept 2020
Marcus Evans delegates have an advantage, as you’re are entitled to
online, real-time reporting on all suppliers for 100 days.
Email: Assistance@CyberRescue.co.uk with subject line “Cyber Resilience”

43. Marcus Evans delegates have an advantage, as you’re are entitled to
online, real-time reporting on all suppliers for 100 days.
Email: Assistance@CyberRescue.co.uk with subject line “Cyber Resilience”
Oct 2020: European IT services group Sopra Steria hit by Ransomware.
Supplier to HSBC, RBS, Bank of China and Crédit Agricole says it is "working hard for a return to
normal”
The firm issued a terse statement confirming a cyberattack on its IT network on 20th October.

44. Question for Delegates
What are the job titles of colleagues
who share some responsibility for
cyber resilience?
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.

45. Answers from previous Delegates
45

46. Answers from previous Delegates
46
CEO COO 3rd Party Oversight Provider Chair Risk Committee Product Commercial
CFO CRO
Compliance /
Financial Crime
Operational Resilience Contracts Procurement
CIO CTO Business + Operations Operational Risk DPO Supplier Relationship
CISO Auditor Communications Business Continuity Legal Project Manager

47. Answers from previous Delegates
11 people should be in your team, said Caleidoscope, See2020 & ScreamCastle.
Project Tango suggested 12 individuals, while Hawkeye said 8 individuals.
The 11 job titles that most experts thought should be in the Project Team were:
CRO; COO; CISO; CTO; DPO; Legal; Procurement/Contracts; Project Manager.
Operational Resilience; 3rd Party Oversight Provider; Communications.

48. Set your SMART goals for calendar 2021,
for Operational Resilience project on cyber risk across your supply chain
48

49. 49
Discussion: How do you define your
Impact Tolerance for your suppliers?

50. 50
Set your Risk Appetite for your suppliers

51. Categorisation: Suppliers are “material” if their
failure might challenge your firm’s “safety & soundness”
Key
(30%)
Material
(10%)
Transactional
(40%)
Strategic
(20%)
More difficult to exit from the relationship
Supplyingessentialservices
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.

52. Categorisation: Suppliers are “material” if their
failure might challenge your firm’s “safety & soundness”
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.

53. CQUEST is based on our favourite, NIST
CQUEST consists of multiple-choice questions:
• It is based on the 5 pillars of NIST
• It adds a “Governance” section, for a total of 48 questions
• In our online implementation below, external evidence is
provided to score questions like “do you patch appropriately?”
Cyber resilience assessment from PRA & FCA
53

54. CQUEST
CQUEST consists of multiple-choice questions covering all aspects of cyber resilience, such as:
• Does the firm have a board-approved cyber security strategy?
• How does it identify and protect its critical assets?
• How does it detect and respond to an incident, recover and learn from the experience?
Cyber resilience assessment from PRA & FCA
54

55. Continuous Monitoring of our key suppliers
Sending your Self Attestation Questionnaire – automated workflows
55

56. Continuous Monitoring of our key suppliers
Marking your Self Attestation Questionnaire – automated workflows
56

57. 1. Measurement: obtain independent, objective, & timely
data on the cyber posture of your material suppliers, vs peers
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Oct 2020: Serious cyber attack suffered by Hackney Council
UK’s National Cyber Security Centre (part of GCHQ) called in by North London local government
After months of having cyber security that was worse than at other councils , many
of the services and IT systems of Hackney Council were disrupted, on 13th October.
In March 2020, as remote-working began,
cyber security posture at Hackney fell badly.

58. 2. Mitigation: engage your material Suppliers to show
what hackers can exploit, to reduce risks across suppliers
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Microsoft
Finastra
Equifax
HIS Markit

59. 3. Management: implement Governance dashboards that
show Execs how your firm compares with your competitors
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Breach Response
Capability Maturity

60. Cyber
Resilience
Kevin Duffey
Managing
Director
November
2020
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience”
for 100 days of online, real-time reporting on all your suppliers, as a benefit
of participating in this Marcus Evans conference.