Recently, there was an interesting speech by Nausicaa Delfas, Director of Specialist Supervision at the FCA, which was delivered at the recent FT Cyber Security Summit. The full text can be seen here.
It is worth reading this speech as it gives some valuable pointers as to how firms should look at this increasingly important issue.
The Key points from the speech were:
- Cyber risk is an ever evolving threat.
- Firms, whatever their size, could pose a significant risk to the FCA’s objectives if their services were disrupted.
- The FCA will continue to take a co-operative approach to addressing this threat, continuing to work with the Government and other regulators, nationally and internationally, on this important issue.
- Each firm should have a ‘security culture’ – from the Board down to every employee. Cyber is not just an IT issue but covers people, processes and technology. The key is good governance, identification and protection of key risks, detection, response and recovery and information sharing with the regulator.
As a reminder, the FCA’s objective in this area is to help firms to become more resilient to cyber-attacks, to enhance market integrity and to protect consumers. This has become a significant focus for the regulator and there is now a specialist unit within the FCA to look after this element.
It is apparent that firms are coming under increasing attack; where firms have reported issues to the FCA, there is a year on year increase. As an example, in 2014 there were, according to FCA statistics, 5 reports and so far, in 2016, 75!
Moreover, according to the FCA, some half a billion records have been lost globally as a result of data breaches, with 430 million new malware variants discovered in 2015. PwC, meanwhile, report a 45% increase in the volume of cyber-attacks by organised criminal gangs.
The FCA focus so far has been twofold:
- Engaging nationally and internationally to ensure a co-ordinated approach to addressing this threat.
- In terms of supervisory attention, they have focused on the largest providers.
But now, they are turning their attention to the remainder of firms that they regulate. They are looking at which firms they believe pose the greatest risk. It is reassuring to hear that they will employ a proportionate approach, ranging from communications and self-help to a more intensive supervisory approach with individual firms where they believe this is warranted or where they are aware of significant failures.
So, as noted in the key points, they expect a security culture, driven from the top down – from the Board, to senior management, down to every employee.
What does this mean?
There are few specific rules for this, but there are a number of overarching rules within Systems & Controls (SYSC) as well as the existing Principles which cover a wide range of areas such as Disaster or Business Continuity Planning to Out Sourcing (which would include IT).
It is important for all firms - no matter how big or small - to have good governance structures in place. Remember, the fifth Threshold Condition (COND 2.7) requires you to demonstrate a sustainable business model, part of which is good corporate governance – an issue we have spoken about many times.
The FCA expect that firms will have identified their key risks and that these have been mitigated as far as possible, and there is no doubt that cyber security is a key risk. So, ask yourself for a start:-
How well trained are your staff to recognise phishing emails or other scams?
How good is your IT defence, firewalls, etc.?
How often are these tested and reviewed?
What security do you have over your systems, particularly when they can be accessed away from the office?
How would you recognise if you had been attacked?
Who is in charge of cyber and do they have the necessary skills?
What would happen if you were attacked?
How quickly would you recover and be able to carry on as usual?
What will it cost to recover?
Do you have appropriate insurance cover?
Please do not forget that any serious breaches need to be reported to the FCA under Principle 11:–
A firm must deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.
A word about outsourcing your IT responsibilities – you can outsource the work but NOT the responsibility, that remains with the firm and its approved persons.
The FCA recently issued cloud guidance to firms and everyone should read this, even if you do not use cloud based services as some of the thoughts are still relevant.
I will end with some direct quotes from the speech:-
“Most attacks you have read about were caused by basic failings – you can trace the majority back to: poor perimeter defences, unpatched, or end-of-life systems, or just a plain lack of security awareness within an organisation. So we strongly encourage firms to evolve and instil within them a holistic ‘security culture’ – covering not just technology, but people and processes too.
You can expect to hear more from us on cyber resilience. We will be reaching out to a much wider range of firms than we have to date, and focussing on those in which a successful attack might pose the greatest risk to our objectives. We will be looking closely at the cyber practices of these firms”.
Remember RWA and its Solutions Team are here to help, so if you have any questions, please get in touch.