Managing Cyber Risk: Lloyds Banking Group Case Study
Project: Cyber Risk Third Parties Programme and ‘BAU’ Cyber Supplier Assurance Framework
Client: Lloyds Banking Group
In 2017 Lloyds Banking Group (LBG) was using a number of providers to support its Cyber Transformation programme and support its on-going supplier assurance programme. 3VRM was asked to work with multiple functions to design and implement improvements to the Third Party Assurance framework.
In 2016 the Cyber Third Party workstream programme was limited to the update of IT Security schedules for the most critical suppliers. 3VRM introduced LBG management to a range of best practice tools and processes and worked to re-baseline the programme to include a number of additional components:
- the development of a standard assurance method linked to the criticality of the supplier;
- the delivery of a number of additional supplier on-site assessments;
- a standard supplier criticality assessment method;
- and the introduction and adoption of security ratings tools.
As the programme has progressed, focus has moved on to remediating risks identified in the supply chain and then developing sustainable capability in the ‘business as usual’ organisation.
3VRM has provided thought leadership and direction to the programme, and provided expert Cyber risk assessment resource to help deliver programme activities and augment the ‘business as usual’ assurance teams.
Over a three-year period the programme has elevated the bank’s approach to managing Cyber risk in the supply chain to become a leader and innovator in several aspects.
Specific achievements include:
- the design and implementation of a new assurance method based on Hellios FSQS, and aligned to industry best practice;
- the adoption of security ratings tools for supplier assurance and continuous risk monitoring, scaled to assess several hundred suppliers;
- the design and implementation of a new operating model for Third Party Risk management from initial risk assessment, through due diligence to on-going assurance and risk and issue management;
- the identification and subsequent remediation of >1000 new Third Party supplier risks and issues.
3VRM has helped to improve the quality of assurance capability across the organisation by:
- developing and training all assurance teams on enhanced processes, tools and assurance methods;
- provided scalable and flexible skilled resource team to meet changing needs of the CISO Third Party Security team (ranging from 1-9 FTE depending on demand);
- and connecting LBG with peer and other leading organisations to share best practice and develop collaboration opportunities.