On 27 November 2018, the FCA published a report summarising its findings from an in-depth survey into the technology and cyber capabilities of 296 firms (the "Report"). The report highlights the key themes from the cross-sector survey and identifies areas of strength and those for improvements across all sectors.
It is strongly advised that all firms review, analyse and reflect on the findings in the Report. The FCA makes no secret of the fact that cyber and technology resilience will form the basis of future supervisory enquiries and subsequent enforcement action if it sees inappropriate responses and inadequate protection being put in place.
The FCA surveyed a range of firms between October 2017 and September 2018 across key areas such as governance, delivery of Change Management, managing third party risks and effective cyber defences. Firms self-assessed their capabilities, the FCA then compared that information to the incident data reported to the FCA, as required under Principle 11 or SUP 15.3 (the requirement for firms to report "material" cyber incidents).
The key conclusions are as follows:
- Some firms identified a lack of cyber and technology knowledge at board level, which may limit the effectiveness of the board being able to effectively challenge decisions. Board and senior management engagement with cyber and technology resilience is critical to improving firms’ wider operational resilience.
- Firms identified challenges in identifying and managing their high-risk staff and educating those individuals with access to critical systems or sensitive data, who are more likely to be targeted by cyber criminals.
- There is scope for improving information sharing. The FCA is encouraged that many larger firms play active roles in information sharing networks and platforms, but are concerned that this does not extend to smaller firms.
- Change Management was the number one root cause of failure, and accounted for 20% of the operational incidents reported to the FCA during the relevant period. In this respect, firms are encouraged to review the joint Discussion Paper on Building the UK financial sector’s operational resilience.
- Managing third parties is becoming increasingly more important, especially as an IT failure at an important supplier accounted for 15% of operational incidents reported to the FCA (the second highest root cause).
Speaking at the publication of the Report, Megan Butler (FCA Executive Director of Supervision at the FCA) sought to dispel the myth that cyber security is just a technology risk, instead advancing it as "human risk", highlighting the notion that many firms do not upgrade IT systems in time and are unable to measure the effectiveness of their information control. Ms Butler also stated that often it isn't the technology at fault, "it's classic systems and controls failures". This will be familiar territory to regulated entities, and it seems that the FCA are encouraging firms to confront the risk presented by cyber security and technology-related incidents, and embrace the way in which this significant risk is identified and mitigated within their businesses.
Alongside the Report, the FCA published a helpful infographic about how to react to a ransomware attack, which firms are advised to consider.
When considering the Report, it is important to bear in mind that there has been a number of high profile cyber and technology failures in the financial services sector in the last twelve months. Barclays, HSBC, RBS, Visa and TSB have all had to contend with public scrutiny and regulatory focus. Further, the Treasury Select Committee has now launched an inquiry into whether banks can prevent any disturbance to services and their ability to respond in the event of an IT failure.
In this context, any firm which incurs cyber and technology-related regulatory scrutiny cannot expect any sympathy. The Report, and the wider context, serves as a warning shot to businesses: if they do not get their house in order, they can expect supervisory attention and potential enforcement.