Following the conclusion of the FCA’s cross sector survey on cyber and technological risk (report available here), in a speech on 27 November 2018 Megan Butler (a Director of Supervision at the FCA) gave voice to some of the FCA’s views on how the UK financial services industry is managing technological risk as well as further detail on the FCA’s regulatory focus on resilience.
It is clear that the number of technological incidents - whether caused by technological failure or cyberattacks - has been increasing in recent years. This is reflected in the FCA’s figures: in the last year reports to the FCA of technological outages have increased by 138% while cyber incident reports have increased by 18%. The FCA has previously expressed the view that there was material under-reporting of cyber incidents in the financial sector. It is unclear whether this increase will have changed that view. What is evident is that the FCA, along with everyone else, sees no end in sight to the escalation in such incidents.
In this context the FCA again emphasises the importance of resilience. It recognises that incidents will happen; its focus is on how firms manage those incidents. A few points can be gleaned from Butler’s speech that firms should keep in mind when assessing their own systems and controls.
First, notwithstanding the prominence of newsworthy cyberattacks the FCA is deeply concerned by the dramatic increase in the number of technological outages reported, with many relating to risk factors that the FCA have repeatedly highlighted including outsourcing (see our article here) and re-platforming. The FCA suggests that firms and their senior managers either have their heads in the sand or are dramatically overconfident as to their ability to manage technological change while avoiding outages in key systems.
Given that continuity of business services is an “essential component of operational resilience”, failure in relation to which has led to very significant fines being imposed before, this should be a key issue for firms. The FCA emphasises the need for firms to focus on classic systems and controls to prevent these outages and, in particular, the impact of tone from the top in enabling a culture that can effectively manage such change programmes.
Secondly, that given the “remarkable” current threat levels from cyberattacks (at both a systemic and consumer level) firms must focus on further improving their cyber resilience and now move beyond the basics. In particular:
- firms should be performing regular cyber assessments, currently a third do not
- firms should be upgrading or retiring out of date IT systems in time, currently nearly half do not
- firms should be able to measure the effectiveness of information asset controls, currently 44 say they cannot, and
- all firms, including small firms, need to automate their detection systems to spot potential cyberattacks; currently this is only typical in the largest firms.
Third and finally, firms must not treat cyber resilience as a purely technological challenge. The human risk is as great, and very often greater, than the technological risk. Firms need to educate their staff but this needs to go beyond the standard cyber awareness programme. It should include identifying and managing high risk staff, particularly those who deal with critical and sensitive data in order to minimise risk and build a “positive security culture”.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.