The Financial Conduct Authority recently released guidance regarding cyber resilience (in the form of new webpages) which FCA regulated firms should take account of. While many larger regulated firms have substantial cyber resilience systems in place, the FCA is well aware that all firms are still vulnerable to attack, and that cyber attacks can impact customers.

The FCA notes that 66% of medium/large UK businesses were subjected to cyber attacks in 2016, and 54% of UK businesses have been hit by ransomware attacks. Since 2014, there has been a 1,700% increase in cyber attacks reported to the FCA.

The FCA raises a number of pertinent questions that firms should consider:

  • Do you review who has access to your most sensitive data?
  • Do you understand where you are vulnerable to cyber attack?
  • Do you use encryption software?
  • Do you know if you are able to restore services in the event of an attack?
  • Do you make sure your computer network is configured to prevent unauthorised access?
  • Do you use two-factor authentication where the confidentiality of the data is most crucial?
  • Do you educate your staff on cyber security risks?
  • Do you align your firm to a recognised cyber scheme?
  • Are you a member of any information-sharing arrangements?

While, because of the nature of their business, not all firms will need to adopt all of the measures mentioned by the FCA, it clearly expects firms to have thought about these questions.

The FCA’s Principles for Business include an obligation for firms in the financial services sector to report material cyber incidents. ‘Material’, for these purposes, is any incident that:

  • Results in the firm losing control of its IT systems
  • Results in a significant loss of data
  • Impacts a large number of victims, or
  • Results in unauthorised access to a firm’s information and communication systems, including the implementation of malicious software

The guidance informs firms of how to report incidents, and the relevant authorities to which incidents must be reported; namely the FCA, the Prudential Regulatory Authority (if the firm is dual-regulated), and the Information Commissioner’s Office, in the event of a data breach. The FCA’s webpage will be updated in line with future regulations to ensure that firms are able to report incidents correctly.

Links to the National Cyber Security Centre and related FCA publications have also been provided to guarantee that firms are given a broad range of information and guidance on how best to implement cyber security measures into their systems.

The challenge for firms, and for the FCA, will be keeping on top of what is a fast-moving area, and ensuring that firms have robust yet proportionate cyber security systems in place.