A major global custodian bank

Thomas Murray worked with the Network Management and Risk and Compliance teams of a major global custodian bank to build a first-rate due diligence programme that addresses the bank’s exposure to its global agent and nostro bank network, local financial market infrastructures, and a range of other service providers.

“With Thomas Murray we are able to affordably assess hundreds of banks, market infrastructures and other third parties globally. No other provider could do this for us at such scale and with such granular knowledge of the risks that are specific to the post-trade sector.”

Head of Network Management, Global Custody Bank

“Thomas Murray’s solution was new to us, but the automation and ease of issuing annual due diligence questionnaires is better than anything I have seen in the market. It is an excellent, affordable tool for automating due diligence for the bank’s third parties, and its reporting is more meaningful and configurable than tools I’ve used in the past.”

Head of Risk and Compliance, Global Custody Bank

Thomas Murray’s client is a global custodian bank – one of the key providers of securities and cash banking, supporting clients’ investments globally. The bank provides safekeeping and administration of assets for a huge client base of institutional investors and asset owners.

The challenge

The bank faced a common challenge in the industry: third-party risk management was not centralised, but split across a variety of departments, some of which had little interaction. Two such departments were Risk and Compliance and Network Management.

While Risk and Compliance had a mandate to monitor the risk of the bank’s critical third-party relationships, it was largely unaware of huge exposure the bank had to a post-trade network of agent banks, cash correspondent banks and financial market infrastructures across the globe.

These were the responsibility of Network Management, which operated a sophisticated global due diligence model manually using email, Excel and cumbersome reports. The ensuing gap – with the bank failing to adequately monitor the security and cash posture of a large number of local providers and market infrastructures to which its clients had huge financial exposure – needed to be addressed.

The problem arose when the Head of Network Management realised that they needed to enhance their oversight and management, but had no subject matter experts to draw upon from with the group.

The solution

Thomas Murray was able to share its knowledge of industry best practice, as well as the tools required to put an efficient and effective third-party risk management programme in place.

The Risk and Compliance and Network Management teams established a new risk framework. From a fully modular solution, the group chose to adopt a mixed model drawing on Thomas Murray’s risk assessments for its critical providers, and used Thomas Murray’s due diligence platform to issue standard questionnaires for other providers:

“Risk assessments” is where the group drew on selected reporting and supporting benchmarking available across post-trade entities tracked by Thomas Murray, including global / ICSDs, sub-custodians, cash correspondents, prime brokers, fund platforms, transfer agents. This includes pro-active cyber monitoring or these (and any other requested entity);
“Due diligence platform” allows the group to issue its own questionnaires tailored to Network Management – to its remaining third parties. The questionnaire responses and documentation collected using the platform are validated by Risk and Compliance, assisted by Network Management during their on-site due diligence visits. Where necessary, the Risk and Compliance team requests that a particular third party – an agent bank or CSD, for example – is escalated to provide more evidence or to perform certain remediations.

Both teams are able to access a My Portfolio dashboard homepage of Orbit Risk, which presents a combined view of all entities monitored, both those monitored by Thomas Murray and those assessed by the bank’s own framework. Doing so creates a centralised view of all assessed entities in one place, highlighting low risk organisations, recent news and cyber trends at a glance.

The bank’s Risk and Compliance team logged into the platform 57 times in the first three months, and is on a mission to drive transparency and security awareness within its agent banks and market infrastructures.

The verdict

Thomas Murray helped to identify a gap in the bank’s security – its failure to adequately monitor the risk of its post-trade counterparties. Leveraging Thomas Murray’s due diligence tools, the bank was able to develop a framework which brought together its Risk and Compliance and Network Management teams, which delivered proper oversight of those third parties and developed a quantifiable approach to monitoring third-party risk, ultimately helping to protect investor data, assets and reputations.

“In the past, we only had occasional contact with our Risk and Compliance team, who helped to validate the responses to some DDQs. Recent regulations and geopolitical events demonstrated to our bank the need to monitor the risk of our post-trade counterparties around the world. Thomas Murray has been instrumental in developing such a programme for us, and in bringing together the Network Management and Risk and Compliance teams.
With Thomas Murray we are able to affordably monitor hundreds of banks, market infrastructures and other third parties globally in a centralised way. No other provider could do this for us at such scale, and with such a detailed knowledge of the risks specific to the post-trade sector.”

Head of Network Management, Global Custody Bank

In the first three months:

Assets under custody to protect globally

$1+ trillion

Assets under custody to protect globally

Active sessions on platform

Third parties monitored across 54 markets

142

Third parties monitored across 54 Markets

Risk teams now working together: IT Security and Network Management

Director of a Major Middle Eastern CSD

“The evaluation is very beneficial not only for our IT Security team but for the company as a whole. As CSDs we have to be as prepared as we can be against cyber risks, so Thomas Murray’s new initiative will be a golden key for that.”

Director of Cyber Security, Latin American financial institution

“The tool is good for us to identify cybersecurity risks to which our domain and its sources are exposed, as well as how to mitigate them.”

Head of Network Management, a European Bank

“Thomas Murray provided information we do not get by any other means today. It’s very useful. The tool is impressive and a nice answer to a problem in the banking industry: how do you manage a large network of service providers, distributors, partners and other third parties without costs creeping up? Cyber is going to be on the agenda for years to come and this tool is going to help us to keep ahead of our third-party risk management requirements.”

Cyber Specialist, third-party risk management at a US bank

“Responses to cyber questionnaires can be very PR-focused, and it’s difficult to get transparency. Security ratings cut through poor response rates to provide a health check based on objective, verifiable public data. We have integrated Thomas Murray’s cyber risk ratings and threat intelligence into our monitoring of agent banks and CSDs globally, and are looking to add additional groups from across the bank.”

IT Security Officer at a Central European bank

“The tool is well-designed and very user-friendly. Monitoring service providers and other third parties’ cyber risk is going to become a regulatory imperative soon; right now it is best practice and something banks should be looking at. Thomas Murray’s platform is great for monitoring our third parties, particularly those who are not very transparent in their DDQ responses. We really like the ability to benchmark our bank and our service providers against like-for-like peers and competitors, this is really important.”

CISO responsible for TPRM at a Global Bank

“The established US threat intelligence providers are expensive and only part of the puzzle. Thomas Murray’s new platform is a very, very good tool for managing our third parties – it is fully automated and isn’t ‘noisy’, which can become a serious relationship issue with some providers. My team really likes the look and feel of the platform as well as the clarity of thought that has gone into making this tool.”

IT Security Specialist of a Swiss financial institution

“Thomas Murray Cyber Risk is a great complement to the tools we use today. It provides much more comprehensive information around the vulnerabilities in our IT infrastructure – and particularly has a lot more details about breached employee emails and passwords than other providers. This is extremely helpful as it allows us to contract those employees with specific, actionable intelligence, and so that we can improve the email behaviour of all staff.”

CISO of an African financial institution

“The tool is very interesting. It gives us the capability to be proactive, rather than reactive, about building the security of our core infrastructure. We are a regulated company and subject to military surveillance by our government; Thomas Murray’s tool used ethical and indirect methods to discover every week the vulnerabilities that we would normally identify during our annual penetration testing.”

Head of IT Security of a Latin American stock exchange

“The Cyber Risk platform is more complete than our existing vulnerability scanning, and we will use it to either replace or complement it. The benchmarking in particular is extremely useful.”

Director of a large Turkish financial institution

“We have been able to make major improvements to our critical applications since using the tool, increasing our score and identifying further action points to stabilise our overall rating in future. Thomas Murray has enabled us to improve our internal processes as well, by pulling together all the necessary threat intelligence feeds so that my team can focus on implementing the findings, instead of gathering the data.”

CISO, Global Custody Bank

“Thomas Murray Cyber Risk’s approach is sophisticated. Its machine learning algorithm identifies our third parties’ public IT infrastructures with huge accuracy and requires no manual intervention. We feel we can place reliance on the ratings to build a robust third-party risk management framework. The solution was new to us, but the scope and accuracy of the data is better than anything I have seen in the market.”

Head of Network Management, Global Custody Bank

“In the past, we only had occasional contact with our IT Security team, who helped to validate the responses to some DDQs [due diligence questionnaires]. Recent regulations and geopolitical events demonstrated to our bank the need to monitor the cyber risk of our post-trade counterparties around the world. Thomas Murray has been instrumental in developing such a programme for us, and in bringing Network Management and IT Security together."