The FCA’s Business Plan for 2017/18 identified cyber risk as a cross sector priority for the FCA. In keeping with the FCA’s drive to encourage firms to acknowledge, confront and manage cyber risk, at the PIMFA Financial Crime Conference on 25 January 2018, Robin Jones (Head of Technology, Resilience & Cyber, FCA) delivered a warning that along with the benefits of technological innovation come threats of increasingly sophisticated cyber-attacks. The most common are data thefts and attacks on company systems.

Mr Jones outlined the following risks for authorised firms:

  • It is vital that firms act to protect critical information, are able to detect breaches and respond quickly;
  • Cyber-attacks are a moving feast – they will evolve to meet defence systems;
  • Resilience is key – and the FCA, as a regulator, cares about resilience; and
  • Putting foundations in place will help employees to act securely.

Mr Jones said that in the UK, ten significant cyber-attacks occur every week and the FCA expects firms to take action to help prevent and detect attacks and have a contingency plan in place for when attacks do occur.

Therefore, firms must:

  • identify their key assets to ensure that these are adequately protected;
  • address the vulnerability of systems (the effects of the Wanancry attack in 2017 could have been mitigated if the NHS had followed basic security best practices);
  • ensure staff are following best practices e.g. spotting phishing emails, encouraging password changes, managing access to data etc; and
  • educate business leaders, as well as technology departments, on these threats and how to respond.

Mr Jones stressed that learning to respond and recover from successful attacks is as important for businesses as prevention. He recommended that firms must:

  • detect attacks quickly i.e. through implementing effective monitoring software. In the recent NotPetya attack, one company with over 10,000 connected systems experienced a total failure in just 19 minutes;
  • implement robust contingency plans in the event of a successful attack;
  • implement a communication plan to quickly contact key people including staff, consumers, suppliers and authorities; and
  • learn and adapt from past failures. For example, firms that remedied shortcomings highlighted by the WannaCry ransomware attack in May 2017 were able to deal with the NotPetya attack quickly.

Although each firm will strive to achieve “resilience” in a different way, it is clear that cyber security a threat that all firms must be prepared for.

To assist firms, the FCA has introduced “cyber co-ordination groups”, with over 175 firms participating quarterly. The intention is that firms can share experiences and that knowledge sharing will increase understanding/awareness. In addition, the FCA has helped to create the Financial Sector Incident Response Guide, providing useful guidance for firms on their responsibilities, seeking assistance and responding to a cyber attack.