In its speech at the FT Cyber Security Summit, the FCA has outlined its approach to cybersecurity in financial services firms. In addition to this, the Group of 7 (“G7”) has issued an 8-point framework for the financial sector as a push for financial firms to design a cybersecurity strategy.
We explore each piece of guidance below.
The FCA’s approach
So far, the FCA has been working closely with the industry as it recognises that preventing cyber attacks is a shared responsibility, particularly between government, regulators and firms. Now, the FCA is assessing which firms it believes pose the greatest risk should their services be disrupted by a cyber attack.
The FCA expects firms of all sizes to have already established – and continue to develop – a security culture which is “driven from the top down”, including an active Board to the commitment of every employee. Here are some of the pointers:
- Good governance: senior management engagement and effective input from the Board
- Identification and protection of key assets: adequate screening of staff, training them to recognise threats and testing defences
- Detection: adequate detection capabilities to identify attacks promptly
- Recovery and response: systems and controls to ensure the business can carry on in the event of unforeseen interruption and be able to recover from an attack, while preserving the essential data
- Information sharing: reporting material breaches to the FCA (in line with Principle 11 of the FCA Handbook). Complying with this requirement and sharing this information via the Cyber Information Sharing Partnership platform is crucial for “identifying and tackling patterns of attacks.”
Cyber risk is an evolving and asymmetric threat which the FCA defines as easier to perpetrate than to defend against. Three emerging risks were identified:
- Ransomware: 2015 saw a 35% increase in reported ransomware attacks. Firms need to be alive to these risks and the level of sophistication behind ransomware attackers.
- Data storage/ outsourcing: with the rise of storing data in the cloud, firms need to be aware that they also inherit the “cloud provider’s threat profile”. Firms cannot pass on the responsibility of those additional risks; they stay with the firm.
- Skills gap: the FCA recognises that some firms struggle to find and recruit skilled staff to analyse data and respond to cyber threats. The FCA is keen to support initiatives that seek to bridge this gap, including the government’s FastTrack cyber apprenticeship scheme.
G7’s Fundamental Elements
It is interesting to see that the G7’s 8-point cyber security framework for the financial sector largely reflects the approach the FCA has adopted:
- Cybersecurity strategy and framework: to identify, manage and reduce cyber risks effectively in an integrated manner. Cybersecurity strategies should be tailored to the nature, size, complexity, risk profile and culture of the firm. This element encourages collaboration between firms and public authorities in the sector.
- Governance: managing and overseeing the effectiveness of the cybersecurity strategy to ensure accountability
- Risk and control assessment: identifying and managing the risks associated with the particular functions, activities, products and services of the firm.
- Monitoring: establishing systematic monitoring processes to promptly detect cyber incidents, and continuing to evaluate the effectiveness of the controls identified by the firm
- Response: promptly analysing the cyber incident (including the nature, scope and impact); mitigating it; notifying internal and external stakeholders; and coordinating a joint response
- Recovery: continuing with business operations responsibly, including eliminating the harm caused; restoring systems and preserving the data; identifying and mitigating all vulnerabilities; applying further remediation to prevent further attacks; and communicating both internally and externally
- Information sharing: liaising with internal and external stakeholders in sharing reliable and actionable cybersecurity information
- Continuous learning: reviewing the strategy and framework (including elements 2-7 above) periodically and also when events arise, for the purposes of identifying gaps and any necessary changes
These guidance notes highlight that it is a priority not just for the FCA, but also for governments across the world.
The Chancellor, Philip Hammond, recently launched the UK government’s new National Cyber Security Strategy, which is underpinned by an investment of £1.9 billion. One of the first tasks for the National Cyber Security Centre – the UK’s authoritative voice on cybersecurity – will be to work with the Bank of England to produce targeted advice for the financial sector.
In light of the recent launch of the UK government’s cyber strategy and its plan to work collaboratively with the financial sector, it will be interesting to see how this guidance will develop. Saying that, financial services firms cannot sit back and wait for further guidance; it is crucial that they implement these strategies now.