On 22 June 2017, the Financial Conduct Authority (FCA) launched a new factsheet entitled ‘Good Cyber Security – the foundations’, aimed at increasing awareness of cyber security risks amongst firms in the financial sector. In particular, the fact sheet draws attention to the increasing rate of cyber attacks and to focus attention on practical steps which firms can take to mitigate the risks.
The FCA draws on the Government’s recent Cyber Security Breaches Survey to note that 66% of medium/ large businesses in the UK were subjected to cyber attacks in 2016, whilst 54% of all UK businesses have been hit with ransomware at some point. The FCA itself has seen a 1,700% increase in the number of cyber attack reports it receives from firms since 2014, demonstrating the growing threat cyber attacks pose to businesses in the financial sector.
To help firms safeguard against such attacks, the factsheet sets out a series of precautions which businesses can take to improve their cyber security practice. They include:
- Understanding the range of data held by the business and who has access to the most sensitive information
- Ensuring networks and systems are kept up to data and fully patched
- Employing two-factor authentication for most sensitive information
- Having effective disaster recovery systems in place and
- Engaging with the Cyber Security Information Sharing Partnership (CiSP), a joint industry and government initiative to exchange cyber threat information in real time and provide support for firms experiencing ongoing cyber attacks. CiSP is currently supported by a range of businesses from the finance and technology sectors including Lloyds Banking Group and Microsoft.
In addition to highlighting the importance of good cyber security, the FCA factsheet emphasises the Principle 11 obligation for firms to report material cyber incidents. A cyber attack which results in significant loss of data or the availability or control of IT systems, affects a large number of customers or results in authorised access to or malicious software present on IT or communications systems are all likely to be considered material by the FCA and must be reported.
This latest guidance published by the FCA, in addition to its new webpage on cyber resilience, suggests a real focus on the topic of cyber security by the FCA. Given the spate of recent global cyber attacks, and that this threat is unlikely to diminish in the foreseeable future, firms should give careful consideration to any improvements that could be made to their cyber security practices.