In a multi-firm review of 20 companies of varying sizes, structures, and business models in the UK conducted in late 2017 and early 2018, the Financial Conduct Authority of the UK found that the lack of technical expertise is the chief reason why financial companies in the country are unable to mitigate cybersecurity risk. The aim of the review was to assess how asset management and wholesale banking firms oversaw and managed, identified, and mitigated cybersecurity risks and their capability to respond to and recover from cyberattacks.
While acknowledging that the small sample size is not statistically significant, the FCA report makes it clear that the organisation considers its findings to be relevant to all firms in the asset management and wholesale banking sectors. Given that the FCA is taking an increasingly aggressive approach to enforcement of cybersecurity incidents, regulated firms need to pay close attention both to the report and possible future developments in this area.
The following were the key findings of the report:
Most boards have limited familiarity with the cyber risks their organisations face
- Almost all of the board members and non-IT senior management interviewed told the FCA how difficult it is to fully understand and explain these specific risks. This challenge is compounded by the fact that most board members and non-executive directors lacked familiarity with, or specific technical expertise in, cybersecurity.
- Some firms have hired external parties to advise them on cybersecurity. While endorsing this approach, the FCA cautioned against an over-reliance on such advisors, which it said could hinder the development of firms’ in-house cybersecurity awareness and abilities.
Risk and compliance functions have limited technical cyber expertise
- The FCA observed that a company’s second line of defence—its risk and compliance functions—also had limited technical cybersecurity expertise, raising the prospect that such functions would struggle to challenge technically sophisticated first line business units.
Firms do not actively consider how to include cybersecurity in their broader approach to conduct risk assessment
- Many firms in the wholesale banking sector—including those with robust conduct risk frameworks already in place—fail to join the dots between cyber and other conduct issues that may occur through cyber channels, such as market abuse and financial crime.
- Firms told the FCA that their most significant cyber risks related to “insiders”, highlighting the importance of embedding a security culture throughout all aspects of the business.
- The firms interviewed mitigated the threat of insiders in various ways, including: improving logical access controls; classifying data according to its sensitivity, commercial value, or other special characteristics; and training and awareness initiatives.
The report comes amid a heightened focus on cybersecurity following a series of high-profile data breaches at UK multinationals and the introduction of the EU’s General Data Protection Regulation, under which fines of up to two per cent of an organisation’s annual worldwide turnover can be issued for failing to implement security measures to protect personal data.
Unsurprisingly, information security is now firmly at the top of most boardroom agendas—as well as those of UK, EU, and international regulators. For example, in a report on global cyber resilience practices issued on 4 December 2018, the Basel Committee on Banking Supervision echoed several of the FCA’s findings—including that cyber resilience is not always clearly articulated across all technical and business lines, hampering their effectiveness; and there is a skills shortage of individuals with cybersecurity expertise across industries and regions.
Although firms and regulators are both navigating uncharted waters in relation to cybersecurity compliance and enforcement, UK authorities have historically been willing to exercise their powers in this area. The FCA’s predecessor, the Financial Services Authority, fined a number of financial services organisations for their data security failings, while the UK’s data protection regulator, the Information Commissioner’s Office, twice issued a £500,000 penalty—the maximum permitted under the previous legislative regime—in respect of personal data breaches.
Most notably, the FCA in October 2018 fined Tesco Personal Finance £16.4 million for its failings in relation to a cyber attack in November 2016. In announcing the fine, the FCA’s first for cyber fraud, the regulator said:
- A financial institution’s board has the ultimate responsibility for ensuring that its cyber crime controls are designed to meet standards of resilience.
- The board must set an appropriate cyber crime risk appetite and ensure that its institution’s controls are designed to anticipate and reduce the risk of a successful attack.
- Where an attack is successful, the board should ensure that its institution’s response plans are clear, well-designed, and that the institution recovers quickly from the incident.
The report’s focus on board-level ownership of and responsibility for their firm’s approach to cybersecurity is not new. However, given the FCA’s stated position is that many organisations have work to do in implementing the technical and organisational measures required to defend against cybersecurity risks, regulated firms and their boards should ensure that these measures are put in place as a matter of priority for 2019.