August 18, 2019

August 16, 2019

Subscribe to Latest Legal News and Analysis

FCA insights on cyber risk

The Financial Conduct Authority (“FCA”) has just published an Industry Insights document (“Insights”) on cyber security. Whilst not containing any formal guidance or rules, the Insights highlight the risks of cyber attacks to FCA regulated firms and confirms industry best practice around the key areas relating to cyber resilience: governance, identification, protection, detection, situational awareness, response and recovery, and testing.

Recent Trends in Cyber Security

The FCA’s publication of the Insights comes in the wake of the recent ‘Modern Bank Heists’ Threat Report (“Report”) by Carbon Black and Optiv. The Report contains a survey of financial services firms (including “4 of the top 10 banks in the world“) and seeks to uncover cyber attack trends in the global financial sector.

The survey found that 67% of surveyed financial institutions reported an increase in cyber attacks over the past year. Cyber criminals are becoming more sophisticated, with an increase in social engineering campaigns and attacks involving malicious phishing targeted at consumers. The Report also highlights the fact that “geopolitical tension is manifesting in cyberspace“, with attacks from certain nation states hitting SWIFT payment systems. Another worrying trend is the shift towards destructive attacks where hackers destroy data (rather than extract or extort it for financial gain). The poll illustrated that reports of these types of attacks had spiked by 160% within the last 12 months.

The financial sector is responding to the threat, with a reported 69% of firms planning to increase their cyber security spend by 10% or more. Security measures are becoming more proactive, with firms investing in threat hunting teams to speed up identification and recovery. However, as the Report warns, despite the financial sector having some of the most robust systems and defences, firms are by no means immune to the threat of cyber attacks.

FCA Insights and Rules

Previously, the FCA has focused on cyber resilience (as discussed in a previous blog post), with the advice to firms being to develop a culture of security and to ensure they are able to identify and prioritise their information assets. To this end, the FCA launched the Cyber Coordination Groups (“CCGs”), of which over 175 firms are members. The CCGs allow the industry to work together in order to improve practices and promote the understanding of new cyber security methods and procedures.

The latest Insights document builds on this work. The Insights make clear that there is no “one size fits all approach” to cyber security, as much will depend on firms understanding their own business in order to have a clearer picture of the potential threats. Further, there is no replacement for firms adhering to existing security configuration standards such as CIS Benchmarks and guidance from the National Cyber Security Centre (“NCSC”).

However, the Insights set out practical steps, which firms are encouraged to take, such as implementing effective cyber security policies, procedures and controls; delivering cyber security training; proactively managing third-party suppliers; and investing in encryption.

Firms should also be sure to comply with the regulatory requirements relating to cyber security. The FCA’s expects, under Principle 11 of the Principles for Businesses, firms to must have controls and procedures in place in order to report material cyber incidents. When reporting these incidents, the FCA advises firms to contact their named FCA supervisors and the Prudential Regulation Authority (if the firm is dual-regulated). In addition, firms should consider reporting an attack to Action Fraud (if the incident is criminal) and the Information Commissioner’s Office (if the incident is a data breach).

Conclusion

The FCA is promoting co-operation and shared responsibility in the quest for increased cyber security. This community approach to the issue reflects wider industry and government initiatives (such as the Cyber Security Information Sharing Partnership developed by the NCSC).

The FCA has stated that it will continue to support the CCGs over the next 12 months and will keep sharing industry insights and innovative practices with the wider financial community.

© Copyright 2019 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Garon Anthony, Squire Patton Boggs, litigation attorney
Partner

Garon Anthony is a partner in the Litigation Practice Group. He has specialised in dispute resolution work since he qualified as a solicitor and has considerable experience in general corporate and commercial litigation work, acting for both private and public sector clients.

Garon regularly resolves disputes for clients in the financial services/insurance sector. That encompasses professional negligence, fraud issues/recovery processes, dealing with claims and complaints by customers of the mis-selling of retail products, handling insurance policy coverage disputes for corporate...

44 121 222 3507
Mariyam Harunah Debt Recovery Attorney Squire Patton Boggs
Associate

Mariyam regularly acts for a diverse client base, including, SMEs, FTSE 100 and 250 corporations, public bodies, developers, insurers and individuals.

Mariyam has experience advising on a wide-range of matters of both a contractual and tortious nature, including breach of contract, breach of warranty, misrepresentation, defamation, professional negligence, debt recovery and insurance.

Experience

  • Assisting on an approximately £160 million multi-action and multi-defendant claim following the sale of a company to investor clients.

  • Acting on a variety of disputes for clients seeking the recovery of unpaid monies owed pursuant to contract.

  • Acting on a portfolio of financial mis-selling claims for a leading international bank.

  • Advising a variety of clients upon termination of contract issues.

  • Acting for industrial manufacturers and suppliers in the defence of contractual and tortious disputes with technical complexities, arising out of the provision of allegedly defective products.

  • Assisting in the provision of bespoke and strategic advice to a national regulator dealing with persistent defamation and harassment.

  • Acting for a leading hire purchase provider in enforcement proceedings.

  • Assisting on a £500,000 negligence claim by a leading supermarket arising out of property damage and business interruption at one of its warehouses.

44 121 222 3175