Cyber resilience in financial services firms has been a focus of the regulators (both PRA and FCA) for some time. Under the Senior Managers and Certification Regime (SMCR), senior managers will be held to account for inadequate cyber resilience.
The FCA, in response to a Freedom of Information (FOI) Act request, has revealed that the number of declared cyber events rose from 69 in 2017 to 819 in 2018. The figures show that cyber-attacks accounted for 11% of all reported incidents in 2018, but that third-party failures and changes in management together accounted for a further 39%.
There still, however, appears to be a tendency in financial services to under-report cyber incidents.
FCA focus on cyber resilience in financial services
In November 2018, we published a blogpost following a speech given by Megan Butler (a Director of Supervision at the FCA) in which she gave voice to some of the FCA’s views on how the UK financial services industry is managing technological risk, as well as further detail on the FCA’s regulatory focus on cyber resilience.
It was evident from the speech, which followed the FCA’s cross-sector survey on cyber and technological risk (report available here) that cyber incidents had been increasing in recent years. The National Cyber Security Centre describes a cyber incident as “a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system.”
Whilst this, of course, includes cyber-attacks (such as malware/ransomware, denial of service and phishing), many incidents in 2018 were attributable to other causes, including third-party failure (21%), hardware/software failure (19%), and changes in management (18%). After this, cyber-attacks were the fourth most common cause of reported incidents (11%).
The National Cyber Security Centre describes phishing as “untargeted, mass emails sent to many people asking for sensitive information or encouraging them to visit a fake website.” When you consider this statistic against the FCA’s previous concerns of widespread under-reporting in the financial services industry (initially voiced in 2017), a picture seemingly begins to emerge. Unlike, for example, incidents arising from hardware/software failures, where there is less likely to be human intervention at the point of breach, the same is not always true of a phishing attack (the success of which is predicated on human error). This could go some way to explaining a reluctance by firms to report to the FCA in a timely manner.
Reporting of cyber incidents
The FCA’s response to the recent Freedom of Information request has revealed a significant rise in the number of declared cyber incidents. The FOI response confirms that out of a total of 819 reported cyber incidents in 2018 (a seismic increase on just 69 reported in 2017), 93 were classified as cyber-attacks, of which over half were the result of phishing.
However, despite this seismic increase in reported incidents, the general consensus appears to be that under-reporting remains as prevalent as ever. Such an approach is, in our view, unhelpful, and not in tune with the industry-wide need for improved cyber resilience. The obvious benefits of reporting cyber incidents (and doing so in a timely manner) include:
- avoiding the risk of FCA imposed sanctions/penalties
- from a law enforcement perspective, treating every reported incident as an opportunity to investigate, and
- acknowledging that the FOI request is now in the public domain and a continuing culture of under-reporting will only seek to encourage further criminal activity/exploitation.
Indeed, the FOI request confirms that cyber-attacks in and of themselves accounted for 11% of all reported incidents in 2018. However, with third-party failures and changes in management together accounting for a further 39%, the standalone issue of human intervention cannot be ignored.
Firms should therefore focus on staff training and technology equally, in a bid to advance a robust approach which will hopefully see the number of reportable cyber incidents in future years decline. Under the SMCR, senior managers will be held to account by the regulators in the event that a regulated firm fails to establish adequate operational and cyber resilience.
One thing is clear however - the FCA’s previously held concerns surrounding under-reporting in the financial services industry were undoubtedly well-founded and should be addressed as a matter of course.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.