Back

Blogs

Gemserv develops Green Book Compliant business case for a £100m 'Able to Pay' Loan scheme in South West

View All

Case Studies

Cyber Threat Intelligence for Energy Theft Prevention

View All

Upcoming Events

FairHeat Annual Conference 2024

View All

Webinars

Thoughts

Financial Services Case Study

4th Nov, 2019

The Client

A UK financial services organisation engaged Gemserv to develop its cyber security strategy, undertake threat and risk assessments and create and implement security policy documentation.

This was required to ensure compliance with the Prudential Regulation Authority (PRA) to be granted approval to trade.

The Challenge

According to industry data, the financial services sector is one of the most vulnerable to cyber attacks. The nature of the industry’s operations where vast amounts of money are traded and significant quantities of personal data are held means breaches could be catastrophic.

As well as risks posed through business disruption and reputational damage, the sector is highly regulated and firms which suffer cyber security incidents risk significant fines or potentially losing their ability to operate in markets.

Given the pace of change in the threat landscape faced, developing a robust cyber security framework that is able to provide continuing support to an organisation is crucial.

Our Approach

We took a structured approach to help the client meet its aims including:

  • Identifying risks to each area of the business through a series of workshops to capture and document threat vectors and attack methods in compliance with best practice.
  • Each threat was assessed, in compliance with the ISO 27005 international standard of risk management, based on likelihood of occurrence, impact to the business unit and the overall organisation, the man-hours and cost required to prevent and to correct and, the method (if any) by which it could be mitigated.

The results were then overlaid onto the PRA licencing requirements so prioritised risk treatment work could begin. Essential to the prioritisation effort was the understanding of risk appetite within the different areas of the business which included the identification of critical assets, services and products.

We then:

  • Developed a framework and method for surveys to be conducted across the organisation to identify critical information assets and services. The results were collated and an associated risk score was added to each asset and assessed within the context of the overall risk appetite.
  • Helped the organisation develop its overall security strategy, creating bespoke policy documents in areas such as identity and access management, risk assessments, vulnerability and patch management, secure software development and monitoring and alerting. All risk treatment recommendations were aligned with the organisation’s risk appetite.

The Outcome

We successfully assisted the client in gaining an interim licence to trade and helped to develop the risk framework and security strategy to use going forward and to support the achievement of a full operating licence.

All deliverables were delivered on target and the cyber security approach of the client has been significantly enhanced. The success of the project led to Gemserv being retained to lead the client through Cyber Essentials and ISO 27001:2013 certification.