A recent joint survey on cyber resilience by the Institute of International Finance (IIF) and McKinsey found significant concerns regarding third-party security.
The report focuses on four different areas: firm-level cyber resilience, sector-level cyber resilience, costs and full-time-equivalent employees, and next-generation trends. A key theme is around building up cybersecurity controls around supply chains, including third- or fourth-party risks, in areas such as vendor remote-access management, activity monitoring, and concentration risk.
The survey found that size matters: the largest firms have higher cyber resilience scores across functions. Companies with more than $1 trillion in assets had an average resilience score of 3.0 (on a 4-scale), while the companies with asset class under that size had an average score of 2.6. “Cybersecurity resiliency requirements get complex as companies grow beyond a certain scale, so it is important to embed resiliency as part of the growth strategy,” the report noted.
Security around supply chain and vendors, and incident response were reported as the least-mature capabilities. For example, 33% of companies responded that they don’t have proper vendor remote access management, with multi-factor authentication. This suggests a need to strengthen access control and other cybersecurity areas for vendors.
The survey was designed to provide an understanding of current and planned practices that financial firms are undertaking to enable and strengthen firm- and sector-level cyber resilience: 27 globally active firms participated in the survey, and more than 50 companies participated in group discussions in meetings with chief risk officers in the Americas, Asia, Europe, and the Middle East.