Information Risk Management

Client background 

Our client was a private equity owned FCA authorised fintech that employed c. 500 people that was mid-way through a card scheme application process when it was asked some questions by their external auditor as to its cyber risk management, privacy, and fraud controls.

The challenge 

Our client needed a combined information risk management and business continuity framework designed to encourage active participation from executive management. The implementation had to advance at pace to ensure that their authorisation process was not delayed.

Our approach and contribution 

Working in close partnership with the management team we:  

  • Reviewed existing management information and determined it was too technical for senior consumption. We immediately recommended and implemented changes to the management information. 

  • Provided the private equity firm with a plain English summary of the cyber-security questions their portfolio oversight committee should be asking all the firms in their portfolio 

  • Documented an information risk management framework that included cyber, fraud, privacy, and business continuity. This included an approach to achieve compliance with the payment card industry data security standards and a data privacy impact assessment template. 

  • Conducted a firm-wide security risk assessment. 

At every stage we partnered with the management team, attended their fortnightly management forum, and provided a summary of work that was being undertaken and the business justification. 

The outcome 

As a result of our engagement, the following was achieved:  

  • Our client had a documented framework and a plan of work that it submitted to the card scheme, thereby avoiding delays to its application. The documentation was ultimately used to support the card scheme application which was successful.

  • The Executive Committee embedded the use of our simplified management information in their monthly reviews and were able to satisfy their external auditors.

  • The portfolio oversight committee at the private equity firm rolled out the simple question book to all the firms in the portfolio.  

  • The firm-wide risk assessment prompted wholesale changes at one of the firm’s overseas processing centres. The card scheme rules did not apply to the processing centres, nonetheless the Executive Committee decided to invest in the additional controls having seen the value delivered by the framework.