Dec 52016

FCA Outlines its Approach to Cybersecurity in Financial Services Institutions

William RM Long, Thomas Fearon and Vishnu Shankar
, , , , , ,

A recent speech by the Financial Conduct Authority (“FCA”) Director of Specialist Supervision, Nausicaa Delfas, delivered at the Financial Times’ Cyber Security Summit, shows that the FCA, which is the leading financial services regulator in the United Kingdom, is taking the issue of cyber security seriously and that it believes new approaches are needed to combat the threat to financial services firms.

The FCA’s concerns are consistent with those being expressed by US banking regulators and the Group of Seven (G-7) industrial nations who agreed on a set of guidelines to combat cyber risks affecting global financial institutions.

The Current Threat

Delfas outlined the scale of the threat currently faced by FCA regulated firms. The FCA has received 75 reports of cyber attacks so far in 2016, compared with the 5 reports filed in 2014. She also drew attention to recent serious cyber attacks on large businesses such as Talk Talk, SWIFT and Bank of Bangladesh. It is therefore unsurprising that “cyber resilience” has become a “matter of priority” for the FCA.

The FCA Approach

The FCA’s focus so far has been two fold. First, it has sought national and international co-operation both with industry and other regulatory bodies. For example, in January 2015 it carried out a trans-Atlantic resilience exercise called Resilience Shield which drew up a collective response to a major international cyber event. Secondly, it has focused its attention on the largest and most critical targets by conducting probing testing of critical national financial infrastructure in conjunction with the Bank of England.

Delfas believes that it is now time for the FCA to widen its focus to include many more of the 56,000 firms it regulates with particular focus on firms which would pose the greatest threat to the FCA’s objectives if their services were disrupted by cyber attack. This is not simply a question of firm size. Even small firms can hold sufficiently large quantities of sensitive data that could disrupt the financial sector if compromised.

The FCA has made clear it recognises that there is no single strategy for effectively managing cyber security risk. It does, however, expect a “security culture” in the firms it supervises. This should be “driven from the top down” and includes the following approaches:

  1. Implement good cyber security governance, including senior management engagement;
  2. identify key assets vulnerable to attack and design appropriate protections;
  3. maintain adequate detection capabilities in place so that attacks can be quickly identified;
  4. back-up recovery and response systems to allow business functions to continue after unforeseen interruptions; and
  5. report material breaches to the FCA.

Emerging Risks

Delfas also emphasised that in addition to growth in the number of cyber attacks on financial services firms, the nature of the attacks is changing. She identified three developing risk areas that the FCA will be investigating.

  1. Ransomware attacks, which increased by 35% in 2015 and have started to use self-replicating malicious software which can spread intelligently through a network.
  2. Outsourcing of data storage to the cloud can bring efficiency benefits but also means that a firm “adopts the cloud provider’s threat profile”. The FCA’s views on this subject were set out in guidance issued in July 2016.
  3. The FCA believes that there is a cyber security skills gap which sometimes makes it difficult to recruit staff who are able to properly respond to threats. According to Delfas, the industry must do what it can to recruit talent into the field.

To conclude her speech, Delfas promised to do more to encourage cyber resilience in the industry by working closely with firms in which a successful attack would do the most to undermine the FCA’s objectives. She also called for firms to take the lead and to evolve “security cultures” which emphasise the importance of cyber security.

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

Vishnu Shankar

vshankar@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.