What did we find out?
We engaged with an Italian bank and established that it uses NIST, a U.S. external framework, to assess its cybersecurity maturity. It also reports cyber risk to senior management using key performance indicators. However, it was not transparent regarding the key personnel responsible for cybersecurity strategy, or whether there was an audit process.

Following a second engagement, the company has confirmed it has an internal and external audit process on cybersecurity risk. It also has appointed a chief security officer, who is accountable to the board for execution of its cyber strategy. The board of directors has two candidates with cybersecurity expertise.

In response to our specific questions the company said it provides ongoing training to its cyber experts so they may develop in their roles to meet the ever-changing nature of cybersecurity risk. The company confirmed that in 2020 it had allocated 5% of its total security budget to cybersecurity, which is in line with other European banks. The company is also working on its talent pipeline by recruiting directly from universities. 

Next steps
We will continue engaging to understand internal accountability.

What did we find out?
We engaged with Company 2, a Spanish bank, and established it has a cybersecurity incident response team. It collaborates with external entities, including government security agencies and different security providers. All employees receive training on cybersecurity. However, it was unclear who was responsible for the strategy in this area and what the company’s cybersecurity budget was. In addition, the board had not received specific training on the management of cyberrisks.

Next steps
We will continue engaging to understand internal accountability, board training on cyberrisk and whether the bank has an audit process for its cyberrisk strategy.

What did we find out?
We engaged with a UK insurer, which together with its subsidiaries, provides personal and commercial general insurance products in various countries. We found out that the company is a member of the Information Security Forum and has group policies and guidelines based on its Standard of Good Practice. These policies aim to ensure a consistent expectation of the cyber controls in place across the regions in which the company operates. The chief information security officer is responsible for the cybersecurity strategy and communicating to management.

Company 3 also provides annual privacy refresher training and regular updates to all employees. There is appropriate training on cyber and data security for all employees and the board. Occasionally, it carries out spot checks to ensure compliance with policy and procedures. Lastly, key controls are in place for an annual external audit, and the independent risk function conducts real-time and periodic assurance. The internal audit department’s information security is in line with the company’s audit plan.

Next steps
We will continue to engage with Company 3 to understand its cybersecurity budget.

What did we find out?

We engaged with a hotel services provider that was one of the first companies to disclose its cybersecurity budget. This accounts for around 5% of its total IT spend. However, the company confirmed that, due to the impact of COVID-19, this budget would not be spent in full during 2020. We were pleased to hear the company was preserving its capital expenditure. 

The company also confirmed it will provide more disclosure on its training programs for data sharing. We were told the executive board receives training on cyber, data security and phishing, in addition to monthly reports about IT risks in the group. The executive board also has personal direct access to IT teams when members are not sure about the quality of an email. This company participates in a cybersecurity conference every year and has access to the online training platform and one-off on-site training. It also has a cyber surveillance program, which is managed by an external provider.

In our view, the company lags many of those operating within the financial and insurance sectors because it has yet to consider external assessment frameworks. However, it does adhere to a four-tier internal process. The chief information security officer is responsible for setting the company’s cybersecurity strategy.

Next steps
We will continue to engage with Company 4 and follow its journey of adopting new policies and setting a cyber strategy by the newly appointed chief security information officer.