Last month the Financial Conduct Authority (FCA) published a report on the themes identified in a cross-sector survey on cyber and technology resilience (the Report). The Report notes that all firms should consider the findings and feedback. It flags the key areas of focus for the FCA in the future and should be taken as something of a warning in that respect that ignoring these issues will lead to regulatory action. This article summarises the key themes identified in the Report. We also identify some similar areas of focus for the Information Commissioner (ICO) from recent fines issued for data security breaches involving personal data.
To gain a better understanding of the financial service industry’s resilience to the risks associated with new technology and cyber-attacks, in 2017 and 2018 the FCA surveyed 296 firms, looking at key areas such as governance, delivery of change management, managing third party risks and effective cyber defences. The firms surveyed fell into the following sectors: wholesale financial markets and banking; asset management; retail lending, investments and banking; non-bank payment services; general insurance and protection; and pensions and retirement income.
In her speech announcing the Report, Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists, said that, “On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services”. Butler pointed out that the “remarkable” current level of threat “creates risks not just for individual customers’ money and data, but for the UK economy”
Governance and Managing Change
The Report highlights governance as a key area of concern, noting that while firms assessed this as the area where they had the most mature capabilities, there is room for improvement including in senior level engagement, challenge and skills.
There was particular concern that firms were overly confident in their ability to manage changes in their technology platforms. The Report notes that 20% of the operational incidents (e.g. IT outages) reported to the FCA in the period were explicitly linked to weaknesses in change management, implying a mismatch between expectations and reality. The FCA say they will be carrying out further work to identify the causes underlying this. The problems experienced by TSB are specifically referred to by Butler in this respect in her speech, but she makes it clear that it is not just about large IT migration projects like this leading to issues. Butler emphasises that leaders need sufficient board-level knowledge, in-house capability and high-quality management information to question the fallibility of all IT change programmes.
In her speech, Butler summarises the steps that firms could take to address these issues, including:
- focussing on the continuity of their most important business services. The Report makes clear that the FCA considers business continuity in this area as an essential component of operational resilience
ensuring that, amongst other things:
- appropriate tolerances are established for operational disruption;
- firms should establish appropriate back-up plans, with response and recovery options, and
- firms should provide staff with appropriate training
On questions of Governance in this area, the Report notes that for smaller firms, identifying clear accountabilities is more of a challenge and those firms are reported as often describing their cyber strategy as incomplete or not having been implemented. On the other hand, larger firms that are already subject to the Senior Managers’ Regime report a clearer structuring of roles and responsibilities and ownership of a cyber security strategy. Firms also reported a lack of board understanding of cyber risks and that management information is not often presented to the board in a way that can be easily understood and challenged – the FCA notes that they have also seen this in their supervisory work. The Report acknowledges that firms can bring in external support to address this challenge, but that this could lead to over-reliance on external capability.
Whilst Butler notes in her speech that financial services is more alive than many other sectors to the risk of cyber attack, there is still concern that there are serious vulnerabilities around identification of key assets, information and detecting breaches. She also notes that a third of firms do not perform regular cyber assessments, with most knowing where their data is and describing it as a challenge to maintain that picture. In addition, nearly half of firms do not retire or upgrade their old IT systems in time. Only 56% said that they could measure the effectiveness of their information asset controls.
The Report refers to firms recognising the need for improvement in the areas of identifying key assets, services and people, including those provided by third parties, sharing information and detection of attacks.
Identification of key assets, services and third parties
a) The Report notes that while firms understand what information they have and their critical business functions, they find it challenging to maintain this understanding including when using a third party as a service provider.
b) The Report notes that there is a significant risk that vulnerabilities of unsupported assets are not identified and fixed in a timely way and that this is a regular route for attackers. In this respect, the FCA is concerned that firms are not addressing the more obvious risks presented to their business and customers by their technology estate.
a) The Report notes that larger firms (particularly in the retail and wholesale banking sectors) are more willing to share information about cyber attacks and threats. However, some firms said that they choose not to share relevant information or had an ad hoc approach to information sharing or gathering. The Report notes that this may undermine firms’ ability to provide or seek help in the event of a cyber attack affecting the wider sector.
b)The Report also notes the lack of consistency in how firms share information, suggesting that there could be more effective collaboration across the industry. The FCA encourages all firms to take a more open approach to information sharing with their peers.
High-risk staff and a security culture
a) While 90% of firms confirmed they operate a cyber awareness programme, the FCA is disappointed that not all firms operate one.
b) Firms described difficulty in identifying and managing their high-risk staff, such as those who deal with critical and sensitive data (e.g. senior executives and their immediate staff who have access to such data). Even where firms did identify staff in high-risk roles, less than half of the firms said they provided additional cyber security for staff in high-risk roles. As a result, staff may not be properly educated or prepared about the increased risks they will encounter. The Report notes that this presents a significant weakness, especially given the prevalence of social engineering and phishing targeting precisely these individuals as part of cyber-attack. Allowing too many individuals access to too much personal data was also one of the findings underlying the ICO’s recent fine issued to Bupa Insurance Services Limited following the unauthorised taking of large amounts of customer personal data.
c) The Report, as well as Butler’s speech, emphasises the importance of creating and embedding a positive security culture that runs through all aspects of the organisation.
While large firms report they have automated systems to spot potential cyber-attacks and support their subsequent response, smaller firms are mainly reliant on manual processes or have no processes at all. The Report states that this should be a focus for firms since weaknesses in one area are likely to undermine stronger capabilities in other areas.
Managing third parties
The Report states that half of the firms said they do not maintain a comprehensive list of all third parties with whom they do business and which access their systems and data. The Report notes that “the adoption of a risk-based approach to assessing the criticality of each third party and the potential impact caused in an adverse situation is fundamental to resilience”. This is also a theme emerging from recent ICO fines arising out of data security breaches, where the ICO has highlighted weaknesses in controls where data is shared between organisations as being one of the bases for imposing large fines.
In its supervisory plans for 2019, the Report states that the FCA will consider key areas of focus, such as third party management and change management. Firms should assess their systems and controls and procedures that will allow them to be resilient when it comes to technology changes and be able to resist and respond to cyber attacks, particularly in a time when they are increasingly commonplace.
In her speech, Butler states that the FCA is happy for firms to find solutions that work for it as long as they allow the firms to demonstrate that its systems and controls work. According to Butler, the FCA’s observation is that “the most effective management of risk takes place in firms that employ a traditional ‘three lines of defence’ model. And where each of these lines is strong. Creating clarity and identifiable roles, as well as a natural check and challenge between them that promotes a healthy culture”.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, December 2018