"Try turning it off and turning it on again?": why there is no quick or easy fix for cyber security and resilience in financial services firms
In the last quarter of 2018, there has been a deluge of papers, speeches and messages from domestic and global regulators on the importance of financial services firms' cyber resilience and security. 2018 was clearly the year where firms' performance in this area was just not good enough. So much so that the FCA has issued a fine for failures of a bank during a cyber-attack, there has been a Treasury Committee inquiry, and a number themes have been laid out as a result of the FCA's cross sector survey on cyber and technology resilience.
The discord is clear: firms rank cyber security as one of their top concerns but those same firms often tend to lack the necessary technical knowledge at Exec Co level for effective leadership on day-to-day cyber security, technological change management and handling cyber incidents, amongst others. At the point where a technological change programme goes wrong or there is a cyber outage, the management looks to the IT department, who looks to the management, for leadership. In these situations, turning the computer off and on again, just won't do. Importantly, the regulators want to see this change.
Below is a summary of some of the key papers and messages for financial services firms from the recent publications.
Key messages
More and more financial services are being provided in a digital format or through an online platform and almost all back office functions are performed through specialist software or web-based platforms. For this reason, the risk that key customer activities cannot be performed is one of the largest operational risks to financial services businesses. What was in the past identified as an 'IT problem' is now a problem for the firm as a whole.
Reading together all sector-wide cyber-security developments set out in this article and regardless of the size, scale and complexity of your firm, the key take home messages you should be aware of are as follows:
- Governance and culture – there is an overwhelming emphasis on firms to ensure that the governing body takes the lead on firms' cyber-security strategy. It is clear that senior managers should not only ensure that its firm has in place a cyber-security risk management structure but is able to understand the technical issues arising in relation to cyber-security threats. The idea being that there'll be a clear articulation and understanding of the firm's stance on cyber security from "the top down" through to every layer of the organisation.
- Three line defence - the FCA's (and various other regulators') general view is that cyber security is managed most effectively through a "three line of defence" approach. Whilst this approach won't be suitable for all firms (i.e. where doing so would be disproportionate to the size, scale and complexity of the firm), the message is loud and clear - a greater, more defined risk management structure generally leads to more effective outcomes.
- Cyber security and conduct risk - firms should ensure that cyber security is incorporated into their conduct risk framework to ensure the risk of customer detriment resulting from cyber security threats is appropriately captured.
- Outsourcing and third party suppliers – firms should ensure that they undertake adequate due diligence of cyber- security related outsource suppliers at the beginning of the arrangement and monitor those third parties on an on-going basis. By doing so, it's envisaged that cyber security risks brought about by third party failures, could be mitigated and managed more efficiently.
- Timely remediation / root cause analysis – timely resolution and remediation of cyber-security incidents (with issues relating to customer detriment being flagged as top priority) will be viewed positively in the eyes of the regulator when assessing whether to take enforcement action against "offending" firms. Further, firms should undertake a "root cause" analysis of cyber-security incidents and identify any emerging (or emerged) patterns resulting from a firm's failure.
- FCA enforcement – the FCA has become more alive to the issues and market impact of cyber-security failures which is reflected in its willingness to take enforcement action against firms. Therefore, firms are encouraged to prioritise cyber-security as a genuine threat when implementing their operational risk framework.
The above list provides plenty for firms to consider, and where necessary, put into action. It's particularly timely given the FCA's focus on conduct risk in the last year and shows how seriously the regulator is willing to take cyber security failings through enforcement action.
If any firms are planning their 2019/20 work programme, this has to be a topic which is high up in the list of priorities.
Summary of key publications
The below summarises the key publications we have seen in the last quarter of 2018. If the volume isn't indicative of the focus on cyber security and resilience by the regulators, the size of the fine against Tesco must surely show the regulators' emphasis in this area.
| 1. FCA: Cyber resilience and technology resilience: Themes form cross-sector survey 2017 -2018 |
|---|
| The FCA surveyed 296 firms during 2017 and 2018 to review their technology and cyber capabilities. The survey looked at areas such as governance, delivery of change management, managing third party risks and effective cyber defences. The report states that firms consider governance to be their strongest capability, with firms subject to the Senior Managers and Certification Regime (SMCR) having a clearer outline of roles and responsibilities and ownership of cyber security strategy. Smaller firms are said to have greater difficulty in clearly identifying accountability, with some not nominating an individual at board or senior level to be responsible for technology resilience. However, the report notes more generally an absence of cyber and technology knowledge at board level at some firms, which it suggests could also inhibit the effectiveness of board challenge. The report cites board and senior management engagement with cyber and technology resilience as critical to improving wider operational resilience. The report notes a common perception of weakness in the following areas: people, third party management, and protection of key assets. Information sharing is viewed by the FCA as another area for improvement. The report states that third party issues (e.g. IT failure at an important supplier) were responsible for 15 percent of operational incidents reported to the FCA and the FCA considers that this demonstrates the importance of managing third parties effectively. Significantly the report teases out that, in light of the extension of the SMCR to FCA solo-regulated firms in December 2019, governing bodies of regulated firms may not have a choice but to start considering cyber-security risk more seriously if they are to meet their statutory obligations under the SMCR. Please click here to view the publication. |
| 2. FCA Speech Cyber and technology resilience in UK financial services |
|---|
|
Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the FCA, recently gave a speech on cyber and technology resilience in UK financial services. She made the following observations:
|
| 3. FCA wholesale banks and asset management cyber multi-firm review findings |
|---|
| The chief aim of the review involving 20 firms was to assess how wholesale banking and asset management firms oversee and manage their cyber security, how far they identify and mitigate relevant risks and current capability to respond to and recover from incidents and successful attacks. This review shows that the FCA is getting more serious about cyber security issues and is expecting firms to do more to address the threat. Firms are expected to recognise it as a potential conduct risk issue and ensure that they understand the specific cyber security issues affecting their firms and have a strategy that does not simply rely on IT function or external help. The FCA wants to see boards more engaged on this issue and sees targeted management information as a key tool in this area. Please click here to view the publication. |
| 4. HM Treasury launch of IT failures in the financial services sector inquiry |
|---|
|
Following the recent string of bank and financial institutional IT system failures, the UK Treasury Committee has launched an inquiry into bank IT failures and will consider (among other things) the following:
Importantly, the inquiry demonstrates the shift in attitude towards cyber security in the financial services sector and that, not only from the FCA's perspective, we can expect cross-governmental / regulator driven developments on cyber security in the year ahead. |
| 5. FSB final version of cyber lexicon |
|---|
| The "Cyber Lexicon" was published in November 2018 and is designed to encourage greater cooperation in cyber security by introducing common definitions for key terms. across the financial sector. It comprises a set of approximately 50 core terms related to cyber security and cyber resilience. The Cyber Lexicon is intended to inform the FSB project on developing effective practices to respond to and recover from a cyber incident. A progress report on the project will be published by mid-2019. The FSB is hoping to promote cross-sector common understanding of relevant cyber security and cyber resilience terminology, which reiterates the importance of having an understanding of technical cyber-security issues when identifying cyber-security risks. Please click here to view the publication. |
| 6. BIS Cyber-resilience range of practices. |
|---|
| BIS produced a paper detailing a comparison of how different jurisdictions approach the regulation and supervision of cyber-resilience. The paper focussed on the following: governance and culture; risk measurement and assessment of preparedness (both in preventing and recovering/learning); communication and information-sharing; and interconnections with third parties. According to BIS, the regulators' approach to cyber resilience consists of principles-based guidance or prescriptive regulations framed through an "IT security" – not a traditional governance issue consideration. Although not prescribed by most regulators, the report notes the widespread adoption the three lines of defence. However, the report argues that cyber-resilience is not always clearly communicated across technical, business and strategic lines. BIS notes a greater emphasis placed by regulators on the first and second lines of defence rather than third line and states that this could inhibit accountability. Please click here to view the publication. |
| 7. European Banking Authority (EBA): Consultation paper: EBA draft Guidelines on ICT and security risk management |
|---|
|
This consultation, undertaken pursuant to requirements in the second Payment Services Directive, sets out requirements for minimising and managing ICT risks. According to the EBA, reliance on ICT for operational functioning makes financial institutions vulnerable to increased threats from internal and external attacks. These include cyber-attacks, or breaches arising from inadequate business continuity planning for ICT systems and processes.
Please click here to view the publication. |
| 8. FCA fines Tesco Bank for failures during cyber attack |
|---|
| In October 2018, the FCA announced that it had fined Tesco Bank £16.4 million for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack that occurred in November 2016. Tesco Bank breached Principle 2 of the FCA's Principles of Business by failing to exercise due skill, care and diligence when: designing and distribute its debit card; configuring specific authentication and fraud detection rules; and taking appropriate action to prevent the foreseeable risk of fraud. According to the FCA, deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team were exploited by cyber attackers. The FCA stressed that effective cyber security needs resilience and the FCA stressed the board's key role in establishing an appropriate cyber-crime risk appetite and ensuring that cyber-crime controls in place anticipate and reduce the risk of a successful attack. In the event of an attack, the board is advised to ensure that response plans are clear, well designed and well-rehearsed. Tesco was said to have implemented a comprehensive redress programme. Please click here to view further details of the fine. |
Co-authors: Jamie Ng, Associate and Bisola Williams, Expertise Legal Manager.
Key Contacts
We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.
Keep up to date
Sign up to receive the latest legal developments, insights and news from Ashurst. By signing up, you agree to receive commercial messages from us. You may unsubscribe at any time.
Sign upThe information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
