The UK Financial Conduct Authority (“FCA”) has carried out a multi-firm review of cybersecurity practices with a sample of 20 firms in the wholesale banking and asset management sectors (the “Report”). The review aimed to look more closely at how wholesale banking and asset management firms oversee and manage their cybersecurity, including the extent to which firms identify and mitigate relevant cyber risks and their current capability to respond to and recover from data security incidents.
The Report provides a number of useful takeaways for all firms to consider in relation to their cybersecurity management. As a general theme, the FCA acknowledges that whilst all firms understand the importance of strong cybersecurity, significant divergences remain in practical cyber risk management. The FCA is clear that firms should be taking proactive steps to foster a security-centric culture where cybersecurity is no longer seen as just an IT issue, but it is instead an organisation-wide priority. Key points highlighted by the FCA’s Report on methods for organisation-wide cyber risk management are:
- Understanding and managing the cyber risks your firm faces – whilst the FCA acknowledges a growing public and regulatory focus on cybersecurity across the financial services industry, the FCA concludes that most senior management functions continue to have limited familiarity with the specific risks that their own firms face. For one, many had defined the threat landscape too narrowly. For example, in both sectors, not all firms had considered the risk that attacks may be motivated by attempts to commit market abuse.
- Effectiveness of second line functions in overseeing and managing cyber risks – all relevant areas of the business must have the relevant expertise. The Report comments that where all 3 lines of defence are clear about their roles and responsibilities, the first line (IT functions) and the second line (risk and compliance) are able to appropriately challenge the third line (board and management levels) and ensure they were sufficiently aware of current and emerging risks.
- Connecting cyber and conduct risk – the Report notes that clearly firms are aware of the threats posed by ‘insiders’ but firms need to further consider how they address this risk, in particular by embedding a security culture throughout all aspects of the business. Technical control environments will need to be accompanied by positive steps to increase staff awareness and understanding, such as by providing staff training and engaging with high-risk personnel.
- Outsourcing to third parties – of particular note were the FCA’s observations around an increased outsourcing of cyber security activities to third-party relationships. The FCA were keen to stress that it becomes even more important to have an effective approach in relation to third-party risk management and the most effective approaches in vendor risk management involved identification of relevant stakeholders across the business for each supplier. The FCA recommends carrying out in-depth reviews of key third-party service providers’ controls to form part of a broader assessment framework. This is in contrast with a centralised vendor management function still adopted by a number of firms.
- Testing – the FCA observed wide variations in the difference in approaches to firms’ cybersecurity testing. Of the sample firms, the scale ranged from almost no testing of cyber arrangements at all to extensive programs covering staff (e.g., phishing) and systems (e.g., simulated attacks). The FCA concludes that testing seems to have most value where it forms part of a broader, coherent strategy, as opposed to where tests are conducted on a more ad hoc basis.
- Non-technical consequences – firms should ensure that incident response plans take account of the non-technical consequences of cyber-security incidents, such as impact to reputation, clients and markets more broadly (including the market abuse risk noted above) and not simply the implications for the firm’s systems and technologies.
Of course, whilst these points (and the more detailed recommendations set out in the Report) are all key for addressing current cybersecurity issues, the FCA acknowledges that managing cyber risk is inherently complex due to the “dynamic, ever-changing nature of the threat” and firms, in particular Board and Management Committee members, will need to remain on top of the evolving threat landscape. In fact, one of the main observations from the Report was that many firms need to do more to ensure that Board and Management Committee cybersecurity decisions are based on careful consideration of the cyber risks arising from the nature, scale and complexity of the firm’s activities and risk profile. To assist in developing this, the Report concludes with a suggestion that moving forward, members ask themselves the following questions:
- How can I assure myself that I have sufficient grasp and understanding of the cyber risks (including those from the use of third parties) that my firm faces and the impact tolerances of our business services so that I can provide effective challenge to the business on an ongoing basis?
- What can we, as a Board or Management Committee, do to make sure the firm’s second line of defence is able to provide effective challenge to the first line on cyber-related matters?
- Which aspects of our approach to conduct risk management could we apply to the way we manage our cyber risk. Does this offer value?
- How confident are we that our incident management plans would be effective in dealing with the aftermath of a cyber incident?
- How can we best assure ourselves that we have appropriate future goals and timeframes for cyber risk?
A full copy of the FCA report can be found here.