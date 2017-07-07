The Financial Conduct Authority recently released guidance
regarding cyber resilience (in the form of new webpages) which FCA
regulated firms should take account of. While many larger regulated
firms have substantial cyber resilience systems in place, the FCA
is well aware that all firms are still vulnerable to attack, and
that cyber attacks can impact customers.
The FCA notes that 66% of medium/large UK businesses were
subjected to cyber attacks in 2016, and 54% of UK businesses have
been hit by ransomware attacks. Since 2014, there has been a 1,700%
increase in cyber attacks reported to the FCA.
The FCA raises a number of pertinent questions that firms should
consider:
Do you review who has access to your
most sensitive data?
Do you understand where you are
vulnerable to cyber attack?
Do you use encryption software?
Do you know if you are able to
restore services in the event of an attack?
Do you make sure your computer
network is configured to prevent unauthorised access?
Do you use two-factor authentication
where the confidentiality of the data is most crucial?
Do you educate your staff on cyber
security risks?
Do you align your firm to a
recognised cyber scheme?
Are you a member of any
information-sharing arrangements?
While, because of the nature of their business, not all firms
will need to adopt all of the measures mentioned by the FCA, it
clearly expects firms to have thought about these questions.
The FCA's Principles for Business include an obligation for
firms in the financial services sector to report material cyber
incidents. 'Material', for these purposes, is any incident
that:
Results in the firm losing control of
its IT systems
Results in a significant loss of
data
Impacts a large number of victims,
or
Results in unauthorised access to a
firm's information and communication systems, including the
implementation of malicious software
The guidance informs firms of how to report incidents, and the
relevant authorities to which incidents must be reported; namely
the FCA, the Prudential Regulatory Authority (if the firm is
dual-regulated), and the Information Commissioner's Office, in
the event of a data breach. The FCA's webpage will be updated
in line with future regulations to ensure that firms are able to
report incidents correctly.
Links to the National Cyber Security Centre and
related FCA publications have also been provided to guarantee that
firms are given a broad range of information and guidance on how
best to implement cyber security measures into their systems.
The challenge for firms, and for the FCA, will be keeping on top
of what is a fast-moving area, and ensuring that firms have robust
yet proportionate cyber security systems in place.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
