July 3, 2020

Volume X, Number 185

July 02, 2020

Subscribe to Latest Legal News and Analysis

July 01, 2020

Subscribe to Latest Legal News and Analysis

June 30, 2020

Subscribe to Latest Legal News and Analysis

FCA insights on cyber risk

The Financial Conduct Authority (“FCA”) has just published an Industry Insights document (“Insights”) on cyber security. Whilst not containing any formal guidance or rules, the Insights highlight the risks of cyber attacks to FCA regulated firms and confirms industry best practice around the key areas relating to cyber resilience: governance, identification, protection, detection, situational awareness, response and recovery, and testing.

Recent Trends in Cyber Security

The FCA’s publication of the Insights comes in the wake of the recent ‘Modern Bank Heists’ Threat Report (“Report”) by Carbon Black and Optiv. The Report contains a survey of financial services firms (including “4 of the top 10 banks in the world“) and seeks to uncover cyber attack trends in the global financial sector.

The survey found that 67% of surveyed financial institutions reported an increase in cyber attacks over the past year. Cyber criminals are becoming more sophisticated, with an increase in social engineering campaigns and attacks involving malicious phishing targeted at consumers. The Report also highlights the fact that “geopolitical tension is manifesting in cyberspace“, with attacks from certain nation states hitting SWIFT payment systems. Another worrying trend is the shift towards destructive attacks where hackers destroy data (rather than extract or extort it for financial gain). The poll illustrated that reports of these types of attacks had spiked by 160% within the last 12 months.

The financial sector is responding to the threat, with a reported 69% of firms planning to increase their cyber security spend by 10% or more. Security measures are becoming more proactive, with firms investing in threat hunting teams to speed up identification and recovery. However, as the Report warns, despite the financial sector having some of the most robust systems and defences, firms are by no means immune to the threat of cyber attacks.

FCA Insights and Rules

Previously, the FCA has focused on cyber resilience (as discussed in a previous blog post), with the advice to firms being to develop a culture of security and to ensure they are able to identify and prioritise their information assets. To this end, the FCA launched the Cyber Coordination Groups (“CCGs”), of which over 175 firms are members. The CCGs allow the industry to work together in order to improve practices and promote the understanding of new cyber security methods and procedures.

The latest Insights document builds on this work. The Insights make clear that there is no “one size fits all approach” to cyber security, as much will depend on firms understanding their own business in order to have a clearer picture of the potential threats. Further, there is no replacement for firms adhering to existing security configuration standards such as CIS Benchmarks and guidance from the National Cyber Security Centre (“NCSC”).

However, the Insights set out practical steps, which firms are encouraged to take, such as implementing effective cyber security policies, procedures and controls; delivering cyber security training; proactively managing third-party suppliers; and investing in encryption.

Firms should also be sure to comply with the regulatory requirements relating to cyber security. The FCA’s expects, under Principle 11 of the Principles for Businesses, firms to must have controls and procedures in place in order to report material cyber incidents. When reporting these incidents, the FCA advises firms to contact their named FCA supervisors and the Prudential Regulation Authority (if the firm is dual-regulated). In addition, firms should consider reporting an attack to Action Fraud (if the incident is criminal) and the Information Commissioner’s Office (if the incident is a data breach).


The FCA is promoting co-operation and shared responsibility in the quest for increased cyber security. This community approach to the issue reflects wider industry and government initiatives (such as the Cyber Security Information Sharing Partnership developed by the NCSC).

The FCA has stated that it will continue to support the CCGs over the next 12 months and will keep sharing industry insights and innovative practices with the wider financial community.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume IX, Number 99


About this Author

Garon Anthony Litigation Attorney Squire Patton Boggs Birmingham, UK

Garon is a partner in the Litigation Practice Group. He advises clients across the full range of commercial dispute issues, including cyber liability/data breach, professional negligence, banking, pensions and insurance.

Garon regularly acts for clients who are subject to investigations or disciplinary proceedings by national and international regulators, including most recently the Financial Conduct Authority, the Financial Reporting Council and the Dubai Financial Services Authority.

Related Services

  • Litigation
  • Data Privacy & Cybersecurity
  • ...
44 121 222 3507
Mariyam Harunah Debt Recovery Attorney Squire Patton Boggs

Mariyam regularly acts for a diverse client base, including, SMEs, FTSE 100 and 250 corporations, public bodies, developers, insurers and individuals.

Mariyam has experience advising on a wide-range of matters of both a contractual and tortious nature, including breach of contract, breach of warranty, misrepresentation, defamation, professional negligence, debt recovery and insurance.


  • Assisting on an approximately £160 million multi-action and multi-defendant claim following the sale of a company to investor clients.

  • Acting on a variety of disputes for clients seeking the recovery of unpaid monies owed pursuant to contract.

  • Acting on a portfolio of financial mis-selling claims for a leading international bank.

  • Advising a variety of clients upon termination of contract issues.

  • Acting for industrial manufacturers and suppliers in the defence of contractual and tortious disputes with technical complexities, arising out of the provision of allegedly defective products.

  • Assisting in the provision of bespoke and strategic advice to a national regulator dealing with persistent defamation and harassment.

  • Acting for a leading hire purchase provider in enforcement proceedings.

  • Assisting on a £500,000 negligence claim by a leading supermarket arising out of property damage and business interruption at one of its warehouses.

44 121 222 3175