On 11 March 2020 the FCA published new research on cyber security. The research is the product of its Cyber Coordination Groups (CCGs) which were created through an FCA initiative in 2017. The CCGs bring together over 185 financial services firms, grouped by various sub-sectors1. They meet quarterly to discuss emerging cyber risks and share their views and experience on how best to address those risks. The content of those discussions is then fed back to the FCA. The research, 'Insights from the Cyber Coordination Groups'2, sets out some of the feedback from the CCGs across four specific themes: cyber risks, identity and access management, malicious emails, and third parties and supply chains.
The introduction to the research stresses that its contents should not be taken as FCA Guidance and "does not set out our expectations for systems and controls that firms should have in place to comply with our regulatory requirements". However, at minimum it clearly reveals what issues are on the FCA's radar; more likely, it indicates the direction of travel and should therefore be carefully considered by regulated businesses.
Much of the research's content offers helpful, practical insights into the nature of the risks associated with its four themes. However, there are two aspects of the research that offer wider insight into the FCA's expectations on cyber resilience.
First, in identifying some emerging trends in the area of payments systems security, the research notes that CCG members "recognise that there needs to be closer industry collaboration to help financial institutions identify threats to payments systems as early as possible". It is possible to imagine that this aspiration could develop into a regulatory expectation in the coming years. An expectation that would require firms, as part of their duty to be open and cooperative, to report cyber risks that are liable to affect the industry at large, in real time.
Second, the research stresses the need for businesses to properly consider the risks and weaknesses of third-party systems and resources, when assessing their cyber resilience. This reiterates and develops similar messages previously issued by the Regulator. For example, as recently as January of this year, the FCA issued a paper explaining the implications of operational resilience for firms using outsourcing and other third-party service providers and setting out what is expected from firms in this regard.3
The update identifies several current threats, including ransomware, social engineering and malicious insiders, as well as emerging and future trends. Some of these threats are most prevalent when operational components are provided or managed by external third parties, for example cloud infrastructure and supply chain partnerships. The research suggests the following approach:
- Prior to onboarding a third-party supplier, it is important for businesses to assess the supplier's approach to cyber risk and its security capabilities. The business should ensure that they are compatible with its own risk appetite and tolerance. Similar assessments should regularly be made during the business relationship.
- Given the potential complexity of supply chain relationships, businesses need to identify the critical dependencies that suppliers rely on to provide their services: "maintaining a real-time view of dependencies underpinning important business services is vital to understanding the associated cyber risks".
- In assessing the suitability and inherent risks of any supplier, businesses may want to enquire about what international industry standards and certifications the supplier has and ask to see copies of any recent audit reports. The research stresses the importance of gathering appropriate and effective management information through which the business' interrelated cyber risks can be monitored. These measures serve to ensure that the risks of each supplier remain visible and can be incorporated into the business' own risk management processes.
- Businesses should maintain a view of their suppliers' software security capabilities.
- Businesses should demand that suppliers screen their employees to the same standard applied to their own staff, and in line with their own risk appetite.
- Businesses need to ensure that the roles, responsibilities and protocols, in dealing with security incidents, are clearly defined and articulated between them and their suppliers. It will be important to undertake cyber breach exercises with their suppliers and promote the sharing of information, to ensure a more dynamic and connected response to any cyber breach.
In essence, the message from the CCGs is that, in an ever-increasingly interconnected and complex financial system, the challenges of responding quickly and effectively to cyber attacks will get harder. As such, there is an overriding need to plan, by ensuring the entire network of systems that customers rely upon are resilient to operational outages and threats.
This article was first published by Compliance Monitor.
1 These are insurance, fund management, investment management, retail banking, retail investments and lending, brokers and principal trading firms, and trading venues and benchmark administrators.
3 Outsourcing and Operational Resilience, 9 January 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.