Nausicaa Delfas, the FCA’s Director of Specialist Supervision has delivered a speech at the FT’s Cyber Security Summit, about the FCA’s approach to cyber security in financial services firms. There are 3 short takeaways:

  1. The number of attacks reported to the FCA has increased significantly: there were 5 in 2014; 27 in 2015; and there have been 75 in 2016, so far. More attacks are occurring; more are being detected; and more firms are willing to report their experiences to the FCA;
  2. The FCA has identified 3 key emerging risks:
    • Ransomware attacks are becoming more frequent and more sophisticated: “we are no longer looking at isolated infections on end user devices: we have to consider what firms would do to recover systems if self-replicating ransomware, or other malicious software, … spread throughout their networks … if it happened tomorrow, how would you recover from such a loss where many firms adopt mirrored backup solutions that offer no help in this scenario? Could you afford to go back to a set of tapes that may be a week old? … what would have been lost in that time?
    • Data storage & outsourcing: “As more firms move to the cloud, they really do need to be aware that they adopt the cloud provider’s threat profile, as well as their ownA strong relationship with cloud providers … is critical to managing this … Firms need to understand how their data is protected…
    • Skills: there is a cyber skills gap. The industry must do what it can to bring talent into the cyber field.
  3. The FCA wants to see firms adopt a “security culture” that includes good cyber-security governance; the identification and protection of key assets; decent detection capabilities; and systems and controls that will allow them “to carry on in the event of an unforeseen interruption, and to … recover from interruptions, preserving essential data”. Some “current business continuity plans do not work where data are compromised. And timely communication is important – to consumers and markets“, and to the regulators.