Helping you manage cybersecurity risks

The cybersecurity risks faced by all organisations are increasing rapidly, and financial services are no exception. Reports of attacks, both successful and not, pepper the media, and bring credence to the claims that ignoring cyber risks can inhibit business growth. Legal prosecutions in all jurisdictions are becoming more commonplace, Board members are demanding action, and stakeholders including customers, investors, lenders and other partners now routinely expect evidence of cyber awareness and risk reduction.

What of regulators? There has been no shortage of circulars, guidance notes, requirements, standards and reports from regulatory bodies across the globe. They recognise the impact of cyber risk on their regulatory objectives in the broadest sense – market integrity, consumer protection, and competition. So their messages contain similar advice for firms.

  1. Know your cyber security risks
  2. Recognise that people are a key point of weakness
  3. Strengthen security through new technical security measures, policies, procedures and training
  4. Have a formal cybersecurity response and recovery plan
  5. Consider network penetration, internal vulnerability and social engineering tests.

Can your company offer credible assurance about its cyber risk management? We offer a 14-point component plan, on a modular basis, to allow you to:

Meet regulator expectations

Document and reduce your cyber risks

Evidence your cyber status


1. Regulation gap analysis
  • For each in scope jurisdiction identify requirements, actual practice and gaps
2. Review security of service providers
  • Identify relevant providers including counterparties, administrators, IT suppliers etc
  • Perform due diligence
  • Recommendations based on gaps
3. Identify, locate and document the protection of confidential data
  • Obtain inventory
  • Identify and classify data
  • Document categories
  • Review policies for adding and, critically, removing staff access to internal and external sensitive data
4. Perform cyber risk assessment
  • Identify threats and document controls
  • Recommend and agree risk mitigations
5. Implement risk mitigation measures
  • Work with IT to identify cost effective technical measures
  • Improve policies and procedures
6. Examine IT service availability and BCP cybersecurity readiness
  • Agree targets for system availability
  • Recommend further measures to meet targets set
  • Audit BCP
7. Implement information security and compliance policies
  • Provide and tailor IS template
  • Enhance compliance manual
8. Provide scenario based BCP
  • Confirm regulator expectations
  • Recommend cost-efficient and better recovery methods using cloud computing
9. Meet regulators data retention requirements
  • Review implementation of regulator data retention rules covering AML, trading and client data
  • Make recommendations to bridge gaps identified
10. Produce cyber response and recovery plan
  • Review firm’s ability to recover from the most damaging types of cyber attack
  • Examine firm’s capacity for discovering cyber incidents and dealing with subsequent resolution
  • Tailor a response and recovery plan
11. Provide testing – penetration testing, phishing, vishing
  • Perform hacking tests, phishing and vishing tests, physical office and data centre access tests
  • Develop training to address gaps identified
12. Roll out training
  • Execute training plan
13. Due diligence questionnaires
  • Provide standard information that can be supplied on request to clients and other counterparties
14. Report
  • Produce an independent report to provide an audit trail and evidence cybersecurity risks reduction

How can we help?

Bovill is a specialist financial services regulatory consultancy dedicated to providing high quality, technically-focused advice to clients across the financial services spectrum. We help firms identify the regulations they need to comply with, their actual compliance with those regulations, and work with them to address the gaps and reduce their regulatory risk. Get in touch for more information or click here.

Share this