UK’s Financial Conduct Authority (FCA) Study On Cybersecurity Gaps In The Financial Sector
The UK’s Financial Conduct Authority (FCA) in late 2017 and early 2018 carried out a cyber multi-firm review with a sample of 20 firms in the asset management and wholesale banking sectors. The firms selected varied in terms of their size, scale, operating models and geography.
CyberSolace reviewed the conclusions of the FCA study and found that it tallies very well with our own experience. In fact we believe that the findings apply equally to almost all other industry sectors, e.g. the professional-services, utilities, government and media sectors as points in case. Two themes in the findings that we emphatically concur with are:
the inadequacy of the assumption that layering of technical controls is the solution;
the sole reliance on IT to drive the success of the cybersecurity mission.
Both of the above points are unfortunately two stubbornly persistent fallacies in our industry.
I invite any concerned and responsible senior stakeholder in any company looking to tackle the question of cybersecurity to read the summary of the findings of the FCA and take heed. It will serve as a valuable list of key lessons to observe before launching any cybersecurity programme.
The main aim of the review was to assess how wholesale banking and asset management firms oversee and manage their cybersecurity, how far they identify and mitigate relevant risks and their current capability to respond to and recover from incidents and successful attacks. All the firms acknowledged the importance of strong cybersecurity. But there were different degrees of understanding of the many potential ways that weak cybersecurity could affect business activities and lead to harm to clients and the wider markets. This was particularly the case at the Board or Management Committee levels. Awareness is lower in firms that do not have a cyber-specific strategy and proportionate cyber risk framework, where cyber is not part of their broader risk management framework, and where their incident response plans take little account of non-technical consequences such as the impact to their reputation, clients and markets more broadly.
Main observations from study findings:
Many firms need to do more to ensure that Board and Management Committee cybersecurity decisions are based on careful consideration of the cyber risks arising from the nature, scale and complexity of the firm’s activities and risk profile. Where a firm relies on group-level or other centralised arrangements, Management Committees and Boards should carefully assess whether these are fully aligned with the firm’s specific risks and ensure they address any identified gaps.
Firms should take proactive steps to foster a security-centric culture which transforms cyber from an IT issue to an organisation-wide priority.
In some cases, all 3 lines of defence were clear about their role and responsibilities for managing cyber risks and the second and third lines possessed a suitable level of knowledge, skill and expertise. In these firms, the second and third lines were able to appropriately challenge the first line and ensure they were sufficiently aware of current and emerging cyber risks.
One effective approach we saw in third-party vendor risk management involved the firm identifying and engaging with the relevant stakeholders across the business for each supplier. The firm then carried out in-depth reviews of key third-party service providers’ controls as part of broader cyber-risk assessment frameworks. This model, which differs from a purely centralised vendor management function, appeared to offer a range of oversight and resilience benefits.
Incident management plans did not always appear to reflect the likely impacts of a successful cyber-attack in a variety of ways. These included the impact on customers, on other market participants, and on markets more generally, not simply the implications for the firm’s systems and technology.