Firms' confidential information, and the personal data of their customers, is increasingly being recognised as a valuable commodity, attracting the attention of sophisticated organised criminals. As custodians of what is often their customers' more sensitive personal data, not to mention, in many cases, their assets, banks and other financial services firms make an obvious target.
A report last year suggests that the average cost of cybercrime to a financial-services company in 2013 was $24 million. This represents a 44% increase over 2012 and almost double the average cost in 2010, and the highest average loss across all industry sectors.
Earlier this year, malware originating from an international group of cyber-criminals was discovered on the networks of over one hundred financial services firms across thirty countries. It is estimated that information obtained through this malware was used to fraudulently transfer up to £650 million from financial services firms, with UK banks suffering losses in the tens of millions.
- Regulatory perspectives on cyber-security
Cyber-security is attracting the attention of governments and financial services regulators globally. The US SEC confirms that cyber-security remains a priority for 2015, and recently announced that it will examine the cyber-defences of US Broker-dealers and registered investment advisors, in conjunction with FINRA. In a similar vein, ASIC issued a report in March this year highlighting cyber-attacks as a major risk for Australian regulated firms.
In the UK too, the regulators have become increasingly focused on addressing cyber risk as a high priority. The PRA and the Bank of England consider cyber security in the light of their responsibilities as prudential supervisor of financial firms, as supervisor of financial market infrastructure, as operator of financial market infrastructure and as UK authority responsible for financial stability. Responsibility for consumer detriment from individual cases of cyber fraud falls to the FCA and law enforcement agencies (e.g. the National Crime Agency and the police).
The regulators freely acknowledge that a detailed prescriptive approach to regulation in this area will not work, given how quickly technology and the threats related to it evolve. Their expectations are likely to evolve as cyber threats evolve and adapt.
- A financial stability perspective
The Bank of England's proposed approach is essentially systemic, risk-sensitive, and intelligence-based approach.
Acting on the Financial Policy Committee (FPC)'s June 2013 recommendation for the authorities to work with firms to test and improve cyber resilience, the UK regulators have essentially sought to assess the UK financial sector's vulnerability to cyber-attack by means of a cross-sector review of current risk management practices relating to cyber issues, and by testing in the context of the Bank of England's CBEST framework.
Thirty six "core" firms (the largest banks, investment firms, payment systems, clearing houses and exchanges firms) participated in a detailed self-assessment survey of the way their cyber defences were organised. The work aimed to enable supervisors to evaluate cyber defences in individual firms and to allow regulators to look across the sector to identify good practice and benchmark capabilities between firms, with the objective of raising resilience in individual firms by ensuring that the network as a whole is resilient. The expectation is that firms will need to go beyond existing standards like the Ten Steps if they are to withstand Advanced Persistent Threat (APT) attacks with a potentially systemic impact.
Although the responses did not reveal immediate critical shortcomings, some areas for improvement were identified. Common themes included
- the need to ensure that policies and processes are dynamic, intelligent and adaptive, with capability to identify threats and detect cyber-attacks;
- the need for engagement across the business: at board level, a front line understanding and ownership of cyber risks, and the inclusion of cyber vulnerabilities in strategic planning; and
- the need for effective and regular testing (beyond mere audit assurance and control sampling).
Working with government, industry and commercial providers of penetration testing and threat intelligence, the Bank of England has developed the CBEST framework. Its approach is to use the best available intelligence on potential threats to test directly a firm’s ability to protect, detect and respond to cyber-attacks. The testing is tailored to the business of the firm and the critical services it provides, and is delivered within a controlled testing process agreed between the firm, the authorities and the test provider. Participation is voluntary (although strongly encouraged by the regulators and the FPC). Tests with the thirty six firms that participated in the survey are underway, and some results are expected to be available to the FPC in the coming months.
Looking more broadly at resilience, in early 2014, the Bank of England reported on its Waking Shark II simulation exercise, which tested the response framework to a cyber-attack on the wholesale banks sector. A joint testing programme between US and UK governments and authorities is also planned for later this year.
- The FCA's approach
The FCA's 2015/2016 Business Plan focuses on the risk that technological change could outstrip not only firms' investment, and consumer capabilities, but also regulatory response. Key issues highlighted are:
- the greater difficulties firms operating complex and aged IT systems face in embedding effective security measures;
- the potential for knock-on impacts arising from the growing inter-connectedness of firms;
- the heightened the risk of personal data and consumer being compromised as a result of increasing reliance on web-based front-end channels; and
- the importance of clarity about what cyber risks firm's insurance policies actually cover.
In the coming year, the FCA proposes to complete the thematic work begun in 2014 focusing on visibility of IT resilience and risks at Board level.
- The regulatory framework
The regulators freely acknowledge that a detailed prescriptive approach to regulation in this area will not work, given how quickly technology and the threats related to it evolve.
In essence, the regulators expect firms to demonstrate that they have robust cyber-security defences in place. This will extend not only to ensuring that adequate preventative measures are established, but will also encompass crisis management planning and putting in place the correct tools to deal with breaches.
Both Principle Three of the FCA's Principles for Businesses, which requires firms to take reasonable care to organise and control their affairs effectively, and the more detailed provisions of The Senior Management Arrangements and Controls (SYSC) sourcebook, are phrased in an open fashion and are susceptible to a broad approach when assessing regulatory compliance.
The potential for knock-on effects across the financial system also means that the regulators expect early notification in accordance with firms' regulatory notification obligations under SUP 15 and Principle 11.
Although FCA disciplinary action in this area is not yet a common occurrence, early indications suggest that the FCA will take a broad approach to interpreting the Handbook rules governing the implementation of adequate systems and controls so as to encompass a firm's cyber-security measures.
In considering enforcement action, the regulators will generally consider whether a firm has failed to meet its obligations to have adequate systems and controls to identify and manage their exposure to cyber-risks, and will look at the firm's approach to operational risk, and the way in which the three lines of defence control model has been applied to those risks. The FCA has also publically stated that it expects firms to provide redress for consumers impacted by cyber-crime perpetrated against financial institutions.
- "Appropriateness" of Cyber-Security Measures
It is difficult to generalise as to what level of cyber-security will be sufficient to meet a firm's regulatory obligations. As will other types of systems and controls, much will depend on the scale and complexity of a firm's business, the nature of the systems involved and the particular risks associated with a firm's activities. What has become clear is that firms can no longer afford to treat cyber-security as an "IT issue"; it should very much be treated as a board- level concern, in the same manner as other serious operational and legal risks facing a firm.
Developing appropriate corporate governance measures will require input from across the business, including legal and compliance, HR, public relations and, potentially, from external advisors. And senior management buy-in will be essential to successfully implementing such measures across the firm.
Creating an effective systems and controls framework supported by appropriate corporate governance measures will require input from across the business. Input from external advisers may also be valuable in providing an outside perspective and of supplementing internal skills sets. A comprehensive assessment should be carried out to identify what specific risks affect a firm and their potential impact upon the business and a tailored cyber-risk strategy then should be developed in response. The cyber-security measures that a firm implements as part of this strategy should be tested on a regular basis and appropriate adjustments made.
For larger and more complex financial services firms, the interconnectivity of complex networks and IT systems, coupled with attempts to integrate legacy systems, or those inherited through acquisitions, means that such measures are frequently more challenging to implement in practice than for other types of firm. But, as with other types of risk, the FCA is likely to take the view that the firm should only carry on business of a particular type if it is capable of managing the associated threats and is unlikely to view such mitigating factors favourably.
Organisational measures are increasingly being recognised as being of equally importance as technological solutions in combatting cyber-crime. Ensuring that appropriate employee education programmes are rolled out and that a strong corporate governance framework is put in place, which would include developing appropriate cyber- security policies and taking steps to embed cyber-security awareness within a business' culture, will be of increasing importance. In many cases it is human operators that are networks greatest vulnerability and are often the unwittingly co-opted into attempts to breach firms' cyber-defences.
The FCA will expect firms to take a proportionate approach, and has not endorsed any particular standard. One way in which firms can obtain some comfort that their cyber-security measures are of a standard that is likely to both meet industry norms and satisfy regulatory expectations would be to develop its cyber-security measures within a recognised framework. Use of an appropriate framework will go some way toward demonstrating that a firm has taken steps to put in place appropriate measures. Firms will however need to consider whether there are any risk areas specific to their business that an adopted standard may not deal with.
In the UK level, in addition to CBEST, the Department for Business Innovation and Skills has developed a Cyber Essentials certification scheme in collaboration with cyber-security experts and industry representatives. Although most suited to small and medium firms, Barclays' digital banking arm was amongst one of the first organisations to participate in the scheme.
For more complex firms, one of the more detailed sets of internationally recognised cyber-security standards may be more appropriate. The ISO/IEC 27000-series security standards, last revised in 2013, have become commonly accepted in many countries as the industry standard framework for the implementation of information and cyber- security.
The US National Institute of Standards and Technology's Cyber-security Framework, issued in 2014, is also assuming a higher international profile. ASIC views the NIST Cyber-security Framework as having "particular relevance for our regulated population - specifically financial service providers that operate in a global environment, given the reach and dominance of US markets and the businesses operating within them".
IOSCO has also looked at cyber-security in the context of market infrastructure and is consulting on guidance on enhancing cyber-resilience. The output may also be helpful to firms in assessing the strength of their own cyber- security measures.
Whatever framework firms choose to adopt, they will need to ensure that their approach is sufficiently adaptive to meet evolutions in cyber-threats. The decision made at this stage may in the longer term prove to be of less practical consequence given that international standards seem likely to converge over time and to exert a powerful influence over developing regulatory expectations.