Skip to main content
Marsh logo

Press release

Foreign banks increase focus on cyber risk management but further action required from UK boards and management: Marsh/AFB report

27/07/2021

LONDON   |   27 JULY 2021

UK subsidiaries and branches of non-UK headquartered banks are increasing their focus on the management of cyber risk, but further action needs to be taken by local boards and management committees to ensure that UK customer and stakeholder obligations continue to be met. This is according to a report released today by Marsh, the world’s leading insurance broker and risk advisor, and the Association of Foreign Banks (AFB), the membership organisation which represents foreign banks in the UK.

The report, Cyber risk governance - How are the UK subsidiaries and branches of non-UK headquartered banks meeting their regulatory obligations?, which is based on research among members of the AFB, found that the majority (57%) of respondents have developed a localised view of cyber risk and are able to demonstrate clearly how their local and group level cyber risk controls combine to fulfil relevant UK regulatory requirements.

Further, 83% have catalogued the group-level services on which the UK bank depends and are in the process of documenting their intragroup outsourcing service level agreements (SLAs) as required by the Prudential Regulation Authority (PRA).

However, the report found a gap between risk identification and governance, and the practicalities surrounding risk assurance and preparedness. Only 13% of respondents reported that their leadership had regular and independent visibility of how well their controls operate in practice such as by independent penetration testing, by management information highlighting issues specific to their UK bank, or by having direct access to their own specialist cyber risk experts and auditors.

Only 9% have achieved the highest level of crisis preparedness for a major cyber event – with the UK board or management committee directly involved in cyber crisis exercising.

Charlie Netherton, Head of Marsh Advisory and Digital, UK and Ireland, Marsh, said: “While many banks are centralising their IT functions, UK boards and management committees ultimately remain responsible for ensuring that the potential risks to the bank’s UK operations are properly understood and managed, and UK regulatory requirements are being met.

“There is a danger that assumptions could be made about how responsibility and accountability is distributed between group and subsidiary/branch level. Senior managers at group and local level need to ‘mind the gap’ and ensure that there is proper dialogue on cyber risk and operational resilience between the UK branches and the overseas parent, in order to fully meet their regulatory obligations and be prepared for cyber events.”

According to the report, there are fundamental processes that foreign banks need to address, if they are to have confidence that the cyber risks associated with their UK operations are being managed effectively:

  • Understanding how differences in local-level and group-level cyber risk exposure are identified and addressed.
  • Defining how intragroup responsibilities and accountabilities are defined and managed.
  • Ensuring that the UK board or management committee has the right level of oversight of relevant control activities (at both local and group level).
  • Ensuring that the UK board or management committee is adequately prepared to deal with major cyber events when they occur.

Dr Catherine Raines, AFB CEO said: “The report identifies several areas of good practice that can help guide individual banks to improve their cyber risk governance approach. Despite the wide diversity in size, business models, and governance structures that characterises the AFB membership, there are common themes that apply to all foreign banks operating in the UK. The cyber security threat is constantly evolving. This report will be the start of an ongoing conversation between members to share best practice in cyber risk governance and identify ways in which they can play a part in improving the security and resilience of the UK financial services sector as a whole.”

About the Association of Foreign Banks

Established in 1947, the AFB is the voice of Foreign Banks in the UK.  Foreign banks oversee over half of all regulated capital in the UK and significantly underpin UK GDP. They engage in a wide range of banking and investment business activity, primarily in the wholesale banking markets. They make a significant contribution to the UK’s standing as a major international financial centre and to the depth and breadth of markets globally, facilitating global trade.

The AFB champions the success of foreign banks in the UK by supporting their establishment; providing a platform for them to share information and best practice; promoting their interests to industry stakeholders, policymakers and regulators; and supporting a positive profile of the sector in the media.  The AFB today has around 200 international banking group members, representing about 80% of the UK’s foreign banking market. For more information, visit foreignbanks.org.uk, follow us on LinkedIn and Twitter

About Marsh

Marsh is the world’s leading insurance broker and risk advisor. With around 40,000 colleagues operating in more than 130 countries, Marsh serves commercial and individual clients with data-driven risk solutions and advisory services. Marsh is a business of Marsh McLennan (NYSE: MMC), the world’s leading professional services firm in the areas of risk, strategy and people. With annual revenue over $17 billion, Marsh McLennan helps clients navigate an increasingly dynamic and complex environment through four market-leading businesses: MarshGuy CarpenterMercer and Oliver Wyman. Follow Marsh on Twitter @MarshGlobalLinkedInFacebook; and YouTube, or subscribe to BRINK.

Media Contacts