Like many other organisations in the financial services industry, risk management at Link Group is a key component of its corporate governance model and a key part of its business.
According to Dave Cowan, CISO, Link Group, “We have embedded risk management into the business to ensure we are taking appropriate and reasonable steps in managing cyber security risks."
He told iTnews that the business has developed a culture where people understand their individual and collective obligations in what is a heavily scrutinised and regulated environment.
“We have adopted industry recognised standards including a traditional “Three Lines of Defence” risk model that distinguishes the functional responsibilities of each line while still operating collectively to ensure adequate oversight, management, monitoring, assurance and reporting of risk and controls,” he said.
“Our management of risk involves us having a logical and systematic method of identifying, analysing, treating and monitoring the risks involved in any activity or process across the organisation. In our role as custodians of data for thousands of market participants globally and the Personal Identifiable Information (PII) that we hold on their behalf, we have a duty and responsibility to protect and safeguard this information and prevent its misuse. “
Cowan believes that effective risk management really comes down to setting a clear risk appetite and ensuring all of the information is at hand to make an informed decision. “ This helps with prioritisation as each area is accountable for the lifecycle management of each risk and a risk treatment plan is agreed with the relevant stakeholders.”
The Enterprise Risk Management Framework LinkGroup uses sets the strategic approach for risk management by defining standards, objectives and responsibilities for all and the operational risk management framework is the engine room for mitigating and reducing risk to an acceptable level in line with the risk appetite set by the Board.
As a financial services business, Link Group is one of the sectors in the frame from the changes to critical infrastructure legislation.
“The benefit of aligning to existing international standards and frameworks such as ISO27001 and NIST Cybersecurity Resilience Framework, as well as a plethora of legislative and client contractual requirements around the world, is that it prepared us well for the changes in the regulatory landscape, “ he says.
“The main change from the Security of Critical Infrastructure Act is that we have had to update our initial reporting timeframes and external stakeholders listed within our documented response plans and streamline our testing procedures to cater for the revised reporting obligations. “
Cowan believes the key message the industry has been sent from the government and regulators is that it is imperative for organisations to have robust controls and measures in place to quickly assess the impact of a cyberattack that impacts individuals or the wider economy.
“Recent events have shown that there is a real appetite for early notifications to not only the individuals impacted by a cyberattack but the wider ecosystem that allows everyone the opportunity to take proactive measures to protect themselves from harm.”
“In my opinion, the best way to adapt to these requirements is to stress test our response plans and make the necessary tweaks based on lessons learned.”
Organisations need to develop good muscle memory across all facets of the response plan, he says.
“Understanding the implications of the enhanced reporting requirements on the wider crisis management response plan is going to ensure a more resilient organisation going forward.”
