FCA insights on cyber risk
The Financial Conduct Authority (“FCA”) has just published an Industry Insights document (“Insights”) on cyber security. Whilst not containing any formal guidance or rules, the Insights highlight the risks of cyber attacks to FCA regulated firms and confirms industry best practice around the key areas relating to cyber resilience: governance, identification, protection, detection, situational awareness, response and recovery, and testing.
Recent Trends in Cyber Security
The FCA’s publication of the Insights comes in the wake of the recent ‘Modern Bank Heists’ Threat Report (“Report”) by Carbon Black and Optiv. The Report contains a survey of financial services firms (including “4 of the top 10 banks in the world“) and seeks to uncover cyber attack trends in the global financial sector.
The survey found that 67% of surveyed financial institutions reported an increase in cyber attacks over the past year. Cyber criminals are becoming more sophisticated, with an increase in social engineering campaigns and attacks involving malicious phishing targeted at consumers. The Report also highlights the fact that “geopolitical tension is manifesting in cyberspace“, with attacks from certain nation states hitting SWIFT payment systems. Another worrying trend is the shift towards destructive attacks where hackers destroy data (rather than extract or extort it for financial gain). The poll illustrated that reports of these types of attacks had spiked by 160% within the last 12 months.
The financial sector is responding to the threat, with a reported 69% of firms planning to increase their cyber security spend by 10% or more. Security measures are becoming more proactive, with firms investing in threat hunting teams to speed up identification and recovery. However, as the Report warns, despite the financial sector having some of the most robust systems and defences, firms are by no means immune to the threat of cyber attacks.
FCA Insights and Rules
Previously, the FCA has focused on cyber resilience (as discussed in a previous blog post), with the advice to firms being to develop a culture of security and to ensure they are able to identify and prioritise their information assets. To this end, the FCA launched the Cyber Coordination Groups (“CCGs”), of which over 175 firms are members. The CCGs allow the industry to work together in order to improve practices and promote the understanding of new cyber security methods and procedures.
The latest Insights document builds on this work. The Insights make clear that there is no “one size fits all approach” to cyber security, as much will depend on firms understanding their own business in order to have a clearer picture of the potential threats. Further, there is no replacement for firms adhering to existing security configuration standards such as CIS Benchmarks and guidance from the National Cyber Security Centre (“NCSC”).
However, the Insights set out practical steps, which firms are encouraged to take, such as implementing effective cyber security policies, procedures and controls; delivering cyber security training; proactively managing third-party suppliers; and investing in encryption.
Firms should also be sure to comply with the regulatory requirements relating to cyber security. The FCA’s expects, under Principle 11 of the Principles for Businesses, firms to must have controls and procedures in place in order to report material cyber incidents. When reporting these incidents, the FCA advises firms to contact their named FCA supervisors and the Prudential Regulation Authority (if the firm is dual-regulated). In addition, firms should consider reporting an attack to Action Fraud (if the incident is criminal) and the Information Commissioner’s Office (if the incident is a data breach).
The FCA is promoting co-operation and shared responsibility in the quest for increased cyber security. This community approach to the issue reflects wider industry and government initiatives (such as the Cyber Security Information Sharing Partnership developed by the NCSC).
The FCA has stated that it will continue to support the CCGs over the next 12 months and will keep sharing industry insights and innovative practices with the wider financial community.