FCA warns managers of wholesale banking and asset management firms have limited familiarity with cyber risks
Firms reviewed by the FCA generally lacked Board members with strong familiarity or specific technical cyber-expertise.
The UK Financial Conduct Authority (FCA) has earlier today published the findings of cyber multi-firm review, covering a sample of companies from the wholesale banking and asset management sectors.
The review marked a further stage of discovery work which followed on from the FCA Technology and Cyber Resilience Questionnaire exercise in these sectors. Let’s recall that the survey showed cyber-attacks accounted for 18% of the operational incidents reported to the FCA between October 2017 and September 2018. Technology outages in the financial services sector are becoming more frequent. The number of such incidents reported to the FCA has increased by 138% in the year to September 2018.
The results of the review published today indicate there has been a growing level of public and regulatory focus on cybersecurity across financial services. Boards and Management Committees of wholesale banks and asset management companies are more sensitive to the topic than in the past. However, most continue to have limited familiarity with the specific cyber risks their organisations face.
“Almost all the Board members and non-IT senior management told us how challenging it was to fully understand and explain the specific risks that their firms face”, the FCA says.
Firms in the sample generally lacked Board members with strong familiarity or specific technical cyber-expertise. Many said this was because of their size, low risk-profile or the limited availability of that skillset in the wider independent non-executive director (INED) population.
The FCA notes that some firms viewed the range of consequences from a successful cyber-attack quite narrowly. For instance, in both the asset management and wholesale banking sectors, not all firms appeared to have considered the risk that their firm may be used as conduits to damage other firms or connected infrastructure. Nor had they considered the risk that attacks may be motivated by attempts to commit market abuse.
Beyond the Board and Management Committee, the FCA observed that that the second line of defence – the risk and compliance functions – has limited technical cyber-expertise.
The lack of in-house cyber knowledge results in a high level of reliance, potentially overreliance, on third-party advisors to supplement the firm’s cyber capabilities, the FCA warns. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘3 lines of defence’ model in identifying and managing cyber risks in a timely way.
Further findings concern testing. The FCA says it met firms that had carried out almost no testing of their cyber arrangements at all. The regulator also met others that had run extensive programs covering both staff, such as ethical phishing, and systems, including near-real simulated, so-called ‘red team’ attacks. Testing seemed to have most value where it was part of a considered strategy for managing cyber risks, and less value where the tests appeared piecemeal, with no clear plan on how to address the test’s findings.
