In the year to October, the FCA has revealed a 138% increase in reported technology outages, with 18% of these being cyber-related. The regulator called the rises ‘significant’ and is urging financial services firms to do more to reduce risk.
Speaking in London, Megan Butler, the FCA’s executive director of supervision, outlined the findings of its new report, Cyber and Technology Resilience: Themes from cross-sector survey 2017-2018. This surveyed some 300 firms and aims to show how the sector is managing its technology risks.
There is clearly room for improvement and Butler issued a stark warning, stating that on the basis of the FCA’s data, “we see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services.”
The regulator is calling for a more resilient approach and the advice in the report includes:
Don’t delay upgrading when needed
The FCA found almost half of firms did not upgrade or retired old IT systems in time.
Be able to manage the effectiveness of controls
Only 56% of firms said they can measure the effectiveness of their information asset controls.
High risk staff and a security culture
While 90% of firms said they operated some form of cyber awareness program they expressed difficulty in identifying and managing their high-risk staff. These included people such as senior execs and their assistants, HR, finance and anyone else with privileged access.
Even when these individuals could be identified only 47% of firms said that they provided additional, ongoing and regular training. So leaving many vulnerable to high risk cyber incidents.
In many cases this risk is compounded by a simultaneous lack of monitoring of staff activity, so firms are unlikely to detect anomalies in staff behaviour and subsequent activity.
The FCA stated that it wants to see more evidence of a security culture that runs across the organization, that can connect cyber activity with other conduct issues.
Change brings potential danger
Major change projects carry high risks but the FCA says there is tendency towards ‘overconfidence’ in financial services when undertaking these. Yet its data shows this is not justified, since some 20% of the incidents reported in the 12 months were explicitly linked to weaknesses in change management.
Manage the knowledge gap
The FCA acknowledges there is a severe skills shortage within IT and cyber security. But, firms need to find solutions in ensuring they have access to expertise and find ways to improve knowledge, whether through using consultants or taking advantage of training and simulation exercises to stress test their IT. Employees must be properly trained and supported to resist attacks.
Focus on continuity
Better standards of operational resilience can be achieved by focusing on the continuity of their most important business services and so seeking ways to avoid disruption to vital services.
No one-size fits all solution
The FCA admits there are no easy answers and points out, for example, that even where highly expert IT people are brought onto boards, this can pose risks through diluting joint responsibility. What is more, knowledge can quickly become outdated. This means that the issue of knowledge, training and awareness must remain priorities.
IT specialism is far from being a panacea – the regulator also emphasizes the culture created by boards is fundamental to a successful cyber security strategy.
A positive security culture should build a resilient business, with employees acting as the eyes and ears of a firm to react and respond to threats quickly.
Indeed, Butler stressed that factors such as training, back up plans and response and recovery options were not simply about IT. “It isn’t technology at fault when things go wrong. It’s classic systems and control failures.”
While the FCA is saying it does expect ‘zero failure’ it is also demanding more effort, saying it is a “major concern that a lot of firms still seem to be trying to get the basics right on cyber,” and are lax about performing regular cyber assessments. While some of the largest firms have automated their detection systems to spot potential cyber attacks, smaller firms “are generally relying on old school, manual processes – or no processes at all.”
The risks are rising and Butler pointed out that cyber criminals were continually lowering technical barriers to entry and “the result is that the current threat level is remarkable.”
A call to action has been issued and the regulator wants this heeded.