Managing cyber risk in global finance

The bank faced a common challenge in the industry: third-party risk management was not centralised, but split across a variety of departments, some of which had almost no interaction.

Two such departments were IT Security and network management. While IT Security had a mandate to monitor the cyber risk of the bank’s critical third-party relationships, it was largely unaware of the huge exposure the bank had to an international post-trade network of agent banks and financial market infrastructures.

These were the responsibility of the Network Management team, which operated a sophisticated global due diligence model but had no clear mandate to monitor cyber risk. The ensuing gap – with the bank failing to adequately monitor the security posture of many local custodians and market infrastructures to which its clients had huge financial exposure – needed to be addressed.

The problem arose when the Head of Network Management realised that the team needed to enhance its cyber risk oversight and management, but had no subject-matter experts in the team. In such a large organisation, it was also difficult to identify the internal stakeholders who could assist.

Thomas Murray was able to share its knowledge of industry best practice, as well as the tools required to put an efficient and effective third-party cyber risk management programme in place.

The IT Security and Network Management teams established a new cyber risk framework. Using Thomas Murray’s due diligence tool, the bank issues a standard questionnaire – with questions now tailored to Network Management – to its third parties. The questionnaire responses and documentation are validated by IT Security, assisted by Network Management during on-site due diligence visits.

The IT Security team uses Thomas Murray’s cyber risk ratings and threat intelligence to provide continuous monitoring that is also fed into the risk assessments. Where necessary, the IT Security team requests that a particular third-party – an agent bank or CSD, for example – is escalated to provide more evidence or to perform certain remediations.

The bank’s IT Security team logged into the platform 57 times in the first three months, and is on a mission to drive transparency and security awareness within its agent banks and market infrastructures.