financial regulation update
14 Feb 2017 Cyber security: is tick-box compliance enough?
This article was first published by Thomson Reuters on 3 February 2017
The threat cyber security poses has been cited as one of the top five regulatory themes for 2017 by many across the City. But why? Isn't cyber security another issue for the IT department to deal with?
With cyber attacks on everything from bank accounts and email accounts to fridges and even the U.S. presidential elections appearing in the press recently, it is insufficient for firms to think about the problem after the event. The damage such attacks have caused other companies, and, more importantly, the end customer, justifies a stronger governance model, led from the top down.
If the Financial Conduct Authority's (FCA) recent rhetoric and proposed rules from overseas jurisdictions are any indicator of the future, regulated firms have little choice but to improve their cyber security capabilities, not just in the IT department but across compliance, monitoring and, importantly, at executive level.
- Cyber attacks on regulated firms cause concern for regulators as they threaten their statutory objectives of consumer protection and market integrity.
- Cyber attacks can cause long-lasting, irreparable damage to firms' customers, reputations and revenues. Adopting a strong cyber security policy is not a compliance box-ticking exercise or an IT problem; cyber security is a vital operational risk and necessitates senior management involvement and ownership.
- The UK regulators have taken a cooperative approach to date but could impose more onerous and specific standards for cyber security compliance like some of their peers, should firms fail to adopt the security culture the FCA wants.
- But adopting a strong cyber security policy and implementing defences against cyber attacks requires specialist skills and knowledge — something that is in high demand across all businesses and where there is a shortage of personnel.
What should firms be doing
Governance and culture
- Recruit IT security specialists to implement and oversee your cyber security procedures.
- Appoint a senior manager with responsibility for IT security, business continuity and operational continuity.
- Instil a top-down security culture throughout the organisation.
Systems and controls
- Have in place systems and controls to ensure the firm can continue and preserve essential data in the event of a cyber attack.
- Identify vital assets and ensure they are appropriately protected.
- Check the firm's ability to detect potential threats is effective.
- Stress test your procedures and run mock cyber attacks.
- Provide regular training to all employees on cyber security (you could send a fake phishing email and see how many people respond or click on the link, which could then be followed up with a training session, for example).
- Report material breaches of cyber security to the regulator under Principle 11.
- Share information about potential and actual cyber security threats with the wider community through the government-backed Cyber Information Sharing Partnership to enhance the protection of the industry as a whole.
Increasing threat of cyber attacks and the imposition of minimum standards
Everyone is aware of the well reported cyber attacks on major businesses. These businesses suffered significant damage to their reputations, significant costs to rectify the issues and a continuing loss of revenues. Of greater concern should be the serious consequences for customers, who could have their money, personal details or other assets stolen or compromised.
This is what most concerns regulators. Most businesses accept it is a matter of time before they will face a cyber attack. Regulators will be first to ask whether customers have suffered as a result and whether the firm can demonstrate its systems were sufficient to prevent such an attack.
This threat and the risks it poses has caused the New York State Department of Financial Services (NYDFS) to set minimum standards for cyber security. These require affected firms to appoint a chief information security officer (CISO).
The CISO will be responsible for overseeing and implementing the firm's cyber security programme and enforcing the firm's policy. The CISO must report annually to the firm's governing body on the firm's policy and risks faced by the firm. This is understood to be the first time a regulatory body has required an individual senior manager to take direct responsibility for the firm's cyber security procedures and could be a sign of things to come.
The UK regulators' approach to date
Cyber security threatens the UK regulators' statutory objectives. The Financial Policy Committee is responsible for reducing systemic risks to the financial system; the Prudential Regulation Authority (PRA) has to promote the safety and soundness of the firms it regulates; and the FCA's objectives include consumer protection and market integrity. Cyber attacks could have an impact on each of these objectives. For example, customers have had money taken or made temporarily unavailable and their personal information compromised, which affects the FCA's consumer protection objective.
Recently, cyber attackers in China obtained inside information on pending U.S. merger and acquisition transactions by hacking a U.S. law firm and traded on the basis on this inside information. If this happened in the UK, the FCA's market integrity objective would be threatened so it is clear to see why regulators are keeping a close eye and why their approach could become more onerous.
To date, however, the FCA has been working with some of the "the largest providers" and "critical national infrastructure".
The joint FCA and PRA response to the chairman of the Treasury Committee in November provides numerous examples of the UK regulators working with some of the largest investment firms and banks to stress test the resilience of their systems.
The FCA is turning its sights on other regulated firms. It will focus initially on those the FCA believes pose the greatest risk to its objectives if their services were disrupted. This could include smaller firms that hold large quantities of sensitive data that, if compromised, could have a ripple effect through the market.
The regulator has said it will adopt a proportionate approach but few would be surprised to see the FCA moving towards a set of minimum standards such as the NYDFS, given the potential severity of cyber attacks and the threat they pose to the regulators' objectives.
Issues faced by firms
Firms should not wait for the UK regulators to tell them to introduce a detailed cyber security policy and regularly monitor their defences. Cyber security risk must be seen as a subset of operational risk; the risks are not compliance-related but go to the heart of the businesses — reputational damage, loss of revenues, huge costs and, more importantly, customer detriment.
Implementation of effective procedures has difficulties. There are few personnel with relevant IT expertise at all levels, let alone senior executives which the FCA has acknowledged as a problem faced by firms but firms need to start recruitment.
The expansion of the senior managers regime (SMR) in 2018 is likely to require all regulated firms to assign to a senior manager responsibility for business continuity and IT. Part of the SMR includes the duty of responsibility, which requires the named person responsible for areas of the firm to show they have taken reasonable steps to discharge that duty, otherwise they could be found guilty of misconduct if there is a breach of a role in the business line for which he/she is responsible.
This will focus the minds and attention of those managers in charge of business continuity and IT to ensure they have the right resources, staff and expertise. Once firms have the personnel in place it will take time to prepare, implement and stress test cyber security procedures. Even after that, firms need to continually monitor and update their procedures. Customers will soon be able to make payments, trade securities or share their personal data through voice recognition, new forms of biometrics or even artificial intelligence. Such advances in technology create corresponding vulnerability to cyber attacks and the misuse of customer data.
Cyber crime poses a disproportionate threat. An attack can be launched by a teenager sitting in their bedroom on a laptop, who could cause widespread customer detriment and damage to international businesses. Many cyber attacks still infiltrate firms through some of the easiest methods, such as phishing emails. Firms need to educate and remind their staff about such techniques and other threats.
The integrity and suitability of many financial institutions' technology is also called into question when cyber attacks occur. Some financial services infrastructure is outdated and has been added to in a piecemeal fashion over the years; it will need updating.
Firms operating across borders will face increased pressure from various regulators and will need to adopt an international standard to cyber security, with IT security teams and policies.
We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.
This publication is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying the information contained in this publication to specific issues or transactions.