Skip to main content

Our client is a Global Custody Bank – one of the key providers of securities banking, supporting clients’ investments around the world. The bank provides safekeeping and administration of assets for a huge client base of institutional investors and asset owners.

Thomas Murray worked with the bank’s chief information security officer (CISO) and Network Management team to build a first-rate cyber risk monitoring programme that addresses the bank’s exposure to its global network of agent banks, the local financial market infrastructures, and a range of other service providers.

“With Thomas Murray we are able to affordably monitor hundreds of banks, market infrastructures and other third parties globally. No other provider could do this for us at such scale, and with such detailed knowledge of the risks specific to the post-trade sector.”

Head of Network Management, Global Custody Bank

“Thomas Murray’s solution was new to us, but the scope and accuracy of the data is better than anything I have seen in the market. It is an excellent, affordable tool for evaluating the security posture of the bank’s third parties, and its benchmarking is more meaningful and configurable than tools I’ve used in the past.”

CISO, Global Custody Bank

 

The challenge

The bank faced a common challenge in the industry: third-party risk management was not centralised, but split across a variety of departments, some of which had almost no interaction.

Two such departments were IT Security and network management. While IT Security had a mandate to monitor the cyber risk of the bank’s critical third-party relationships, it was largely unaware of the huge exposure the bank had to an international post-trade network of agent banks and financial market infrastructures.

These were the responsibility of the Network Management team, which operated a sophisticated global due diligence model but had no clear mandate to monitor cyber risk. The ensuing gap – with the bank failing to adequately monitor the security posture of many local custodians and market infrastructures to which its clients had huge financial exposure – needed to be addressed.

The problem arose when the Head of Network Management realised that the team needed to enhance its cyber risk oversight and management, but had no subject-matter experts in the team. In such a large organisation, it was also difficult to identify the internal stakeholders who could assist.

The solution

Thomas Murray was able to share its knowledge of industry best practice, as well as the tools required to put an efficient and effective third-party cyber risk management programme in place.

The IT Security and Network Management teams established a new cyber risk framework. Using Thomas Murray’s due diligence tool, the bank issues a standard questionnaire – with questions now tailored to Network Management – to its third parties. The questionnaire responses and documentation are validated by IT Security, assisted by Network Management during on-site due diligence visits.

The IT Security team uses Thomas Murray’s cyber risk ratings and threat intelligence to provide continuous monitoring that is also fed into the risk assessments. Where necessary, the IT Security team requests that a particular third-party – an agent bank or CSD, for example – is escalated to provide more evidence or to perform certain remediations.

The bank’s IT Security team logged into the platform 57 times in the first three months, and is on a mission to drive transparency and security awareness within its agent banks and market infrastructures.

The verdict

Thomas Murray helped to identify a gap in the bank’s security – its failure to adequately monitor the cyber risk of its post-trade counterparties. Leveraging Thomas Murray’s cyber security and due diligence tools, the bank was able to:

  • develop a framework that brought together its IT Security and Network Management teams;
  • deliver proper oversight of those third parties;
  • develop a quantifiable approach to monitoring cyber risk; and, ultimately,
  • protect investor data, assets and reputations.

In the first three months:

Assets under custody to protect globally

$1+ trillion

Assets under custody to protect globally

Active sessions on platform

57

Active sessions on platform

Third parties monitored across 54 markets

142

Third parties monitored across 54 Markets

Risk teams now working together: IT Security and Network Management

2

Risk teams now working together: IT Security and Network Management

Orbit Security

Orbit Security

Security ratings for enhanced attack surface management and third-party risk. Monitor for breaches and vulnerabilities that could be exploited by threat actors.

Learn more

Contact an expert

Roland Thomas

Roland Thomas

Associate Director

Phoebe Jordan , Managing Director | TPRM

Phoebe Jordan

Managing Director | TPRM