FERMA and ECIIA unveil vision for cyber three lines of defence model

Cyber-attacks remain one of the biggest threats to operational efficiency for businesses worldwide. They ranked as the number one potential hazard to organisations among both risk managers and non-risk professionals in a recent Depository Trust and Clearing Corp survey.

In fact, 69% of respondents cited cyber-attacks as a top-five risk for 2019, which was notably higher than the proportion who said geopolitical risk and trade tensions (55%) and Brexit (49%). However, just 44% of professionals in PwC’s Global State of Information Security Survey for 2018 said their corporate boards actively participate in the company’s overall security strategy.

The Federation of European and Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA) have suggested that many boards may still see cyber threats as an IT issue. This could lead to firms failing to take an integrated company-wide approach to their cyber infrastructure planning and development.

As such, they have published a new report to support organisations that wish to define a stronger governance model. This, they claim, will ensure better alignment between business strategy and cyber risk, as well as improve co-ordination and co-operation between key stakeholders.

Reassessing the three lines of defence model

One key suggestion in the report is to reconfigure the traditional three lines of defence model to meet the specific needs of cyber risk. Historically, the three lines of defence comprises:

• First line: Functions that own and manage risk. Here, operational managers own and manage risks by implementing corrective actions when problems arise.
• Second line: Functions that specialise in the oversight of risk management and compliance.
• Third line: Internal audit functions that provide independent assurance.

The FERMA and ECIIA approach retains the same general categories and concepts as the third line of defence model but adapts the framework to meet the unique needs of cyber risk concerns.

The report is a rather weighty 30-page document, so we’ve summarised the key elements of their modified three lines of defence model below:

First line of defence

According to FERMA and the ECIIA, the main teams or departments involved in the first line of defence for cyber risk are IT, data management and human resources. The report breaks down what the key responsibilities and basic precautions of each one should be if organisations wish to embark on a three lines of defence model for cyber risk.

• IT
  • Administers security procedures; 
  • Conducts security training and testing;
  • Maintains security device configurations; and
  • Ensures software and security patches are up to date.
• Data management
  • Establishes a Chief Data Officer for company-wide data and information strategies;
  • Ensures data privacy and security;
  • Maintains data quality and integrity; and
  • Uses data to deliver a competitive advantage over rivals.
• Human resources
  • Removes access rights from exiting employees immediately;
  • Ensures new employees don’t bring in external data;
  • Provides clear mobile device policies and implement appropriate disciplinary actions for anyone breaching security standards; and
  • Leads communications regarding employee concerns over cyber incidents. 

FERMA and ECIIA also advise all departments to work closely with the other lines of defence to build an integrated strategy. They believe it is particularly important for risk managers and internal auditors to be across all aspects of a three lines of defence model for cyber risk.

Second line of defence 

The report states there are five key actors responsible for cyber risk in the second line of defence:

1. Risk managers;
2. Data protection officers;
3. Chief information security officers (CISOs);
4. Compliance officers; and
5. Finance officers.

Of these, risk management was cited as the primary function tasked with crucial oversight of cyber risk. These professionals are likely to be responsible for defining the organisation’s exposure and acting as a facilitator between the board and central business functions, including IT, compliance and human resources.

Meanwhile, FERMA and ECIIA claim data protection officers should have complete control over data protection protocols and be entirely independent of influence, reporting only to the most senior executives involved in cyber risk. CISOs or the equivalent position are generally responsible for co-ordinating and managing information security across the whole organisation. The CISO can therefore be an advocate for security, while considering the business enabling value and risks of cyber channels.

As #cyber #risks grow in severity, #ferma discussed how co-operation within businesses can provide resilience. Available now: report on cyber risks featuring presentations, key learning and background interviews https://t.co/b2rsm5EaoO pic.twitter.com/YcwGl8Smbw

— FERMA (@FERMARISK) January 9, 2019

The cyber three lines of defence model requires legal and compliance teams to be involved in identifying the impact of potential cyber incidents on multiple areas of the business, including contractual agreements, regulatory liabilities and supply chain efficiencies. These tasks have perhaps more important since the introduction of GDPR and the heavy fines associated with the worst cases of non-compliance.

Lastly, finance officers are key to gaining the necessary budget support for cyber defence initiatives, as well as working with risk managers to quantify the costs associated with risks and exposures.

Third line of defence 

The internal audit function is a vital component of any three lines of defence model, providing objective assurance and insight into risk management effectiveness. FERMA and ECIIA emphasise the importance of this for organisations assessing the ongoing efforts to combat their cyber risk.

Assurance is typically provided through the audit plan, which gauges how key cyber risks are managed by testing the appropriate controls, policies and procedures that are currently in place. According to FERMA and ECIIA the most common activities internal auditors should be planning are:

• Independent, ongoing evaluations of preventative/detection measures;
• Examining IT assets of privileged access users for security failings;
• Ensuring remediation is working as expected; and
• Providing assurance of third parties and suppliers. 

Above all, the report reinforces the importance of close co-operation based on a sound understanding of cyber risks and the functions that are involved in identifying, managing and assessing problem areas.

Tackling cyber risk in 2019 and beyond

Whether or not the FERMA and ECIIA three lines of defence model enjoys significant uptake is yet to be seen. Nevertheless, the fact remains that cyber risk is a crucial consideration for firms.

Our 2019 Risk Management Market Report recently revealed that IT and cyber risk would be the most in-demand skillset within risk departments this year. One-third of employers said they would need these capabilities, while 20% chose people who have second line of defence experience. Furthermore, our Security Market Report showed 35% of corporate, cyber and information security employers expect to need professionals with expertise in information and technology risk.

Ultimately, finding the right people to formulate and implement any cyber risk strategy is crucial for ensuring preventative measures are tailored specifically for the needs of your organisation. If you would like to discuss your governance recruitment needs, please contact me on 020 7936 2601 or via email at mda@barclaysimpson.com.

Image credit: William Mallot via Unsplash