FCA Outlines its Approach to Cybersecurity in Financial Services Institutions

A recent speech by the Financial Conduct Authority (“FCA”) Director of Specialist Supervision, Nausicaa Delfas, delivered at the Financial Times’ Cyber Security Summit, shows that the FCA, which is the leading financial services regulator in the United Kingdom, is taking the issue of cyber security seriously and that it believes new approaches are needed to combat the threat to financial services firms.

The FCA’s concerns are consistent with those being expressed by US banking regulators and the Group of Seven (G-7) industrial nations who agreed on a set of guidelines to combat cyber risks affecting global financial institutions.

The Current Threat

Delfas outlined the scale of the threat currently faced by FCA regulated firms. The FCA has received 75 reports of cyber attacks so far in 2016, compared with the 5 reports filed in 2014. She also drew attention to recent serious cyber attacks on large businesses such as Talk Talk, SWIFT and Bank of Bangladesh. It is therefore unsurprising that “cyber resilience” has become a “matter of priority” for the FCA.

The FCA Approach

The FCA’s focus so far has been two fold. First, it has sought national and international co-operation both with industry and other regulatory bodies. For example, in January 2015 it carried out a trans-Atlantic resilience exercise called Resilience Shield which drew up a collective response to a major international cyber event. Secondly, it has focused its attention on the largest and most critical targets by conducting probing testing of critical national financial infrastructure in conjunction with the Bank of England.

Delfas believes that it is now time for the FCA to widen its focus to include many more of the 56,000 firms it regulates with particular focus on firms which would pose the greatest threat to the FCA’s objectives if their services were disrupted by cyber attack. This is not simply a question of firm size. Even small firms can hold sufficiently large quantities of sensitive data that could disrupt the financial sector if compromised.

The FCA has made clear it recognises that there is no single strategy for effectively managing cyber security risk. It does, however, expect a “security culture” in the firms it supervises. This should be “driven from the top down” and includes the following approaches:

  1. Implement good cyber security governance, including senior management engagement;
  2. identify key assets vulnerable to attack and design appropriate protections;
  3. maintain adequate detection capabilities in place so that attacks can be quickly identified;
  4. back-up recovery and response systems to allow business functions to continue after unforeseen interruptions; and
  5. report material breaches to the FCA.

Emerging Risks

Delfas also emphasised that in addition to growth in the number of cyber attacks on financial services firms, the nature of the attacks is changing. She identified three developing risk areas that the FCA will be investigating.

  1. Ransomware attacks, which increased by 35% in 2015 and have started to use self-replicating malicious software which can spread intelligently through a network.
  2. Outsourcing of data storage to the cloud can bring efficiency benefits but also means that a firm “adopts the cloud provider’s threat profile”. The FCA’s views on this subject were set out in guidance issued in July 2016.
  3. The FCA believes that there is a cyber security skills gap which sometimes makes it difficult to recruit staff who are able to properly respond to threats. According to Delfas, the industry must do what it can to recruit talent into the field.

To conclude her speech, Delfas promised to do more to encourage cyber resilience in the industry by working closely with firms in which a successful attack would do the most to undermine the FCA’s objectives. She also called for firms to take the lead and to evolve “security cultures” which emphasise the importance of cyber security.