Nausicaa Delfas, the FCA’s Director of Specialist Supervision has delivered a speech at the FT’s Cyber Security Summit, about the FCA’s approach to cyber security in financial services firms. There are 3 short takeaways:
- The number of attacks reported to the FCA has increased significantly: there were 5 in 2014; 27 in 2015; and there have been 75 in 2016, so far. More attacks are occurring; more are being detected; and more firms are willing to report their experiences to the FCA;
- The FCA has identified 3 key emerging risks:
- Ransomware attacks are becoming more frequent and more sophisticated: “we are no longer looking at isolated infections on end user devices: we have to consider what firms would do to recover systems if self-replicating ransomware, or other malicious software, … spread throughout their networks … if it happened tomorrow, how would you recover from such a loss where many firms adopt mirrored backup solutions that offer no help in this scenario? Could you afford to go back to a set of tapes that may be a week old? … what would have been lost in that time?“
- Data storage & outsourcing: “As more firms move to the cloud, they really do need to be aware that they adopt the cloud provider’s threat profile, as well as their own… A strong relationship with cloud providers … is critical to managing this … Firms need to understand how their data is protected…“
- Skills: there is a cyber skills gap. The industry must do what it can to bring talent into the cyber field.
- The FCA wants to see firms adopt a “security culture” that includes good cyber-security governance; the identification and protection of key assets; decent detection capabilities; and systems and controls that will allow them “to carry on in the event of an unforeseen interruption, and to … recover from interruptions, preserving essential data”. Some “current business continuity plans do not work where data are compromised. And timely communication is important – to consumers and markets“, and to the regulators.