FCA warns managers of wholesale banking and asset management firms have limited familiarity with cyber risks

Maria Nikolova

Firms reviewed by the FCA generally lacked Board members with strong familiarity or specific technical cyber-expertise.

The UK Financial Conduct Authority (FCA) has earlier today published the findings of cyber multi-firm review, covering a sample of companies from the wholesale banking and asset management sectors.

The review marked a further stage of discovery work which followed on from the FCA Technology and Cyber Resilience Questionnaire exercise in these sectors. Let’s recall that the survey showed cyber-attacks accounted for 18% of the operational incidents reported to the FCA between October 2017 and September 2018. Technology outages in the financial services sector are becoming more frequent. The number of such incidents reported to the FCA has increased by 138% in the year to September 2018.

The results of the review published today indicate there has been a growing level of public and regulatory focus on cybersecurity across financial services. Boards and Management Committees of wholesale banks and asset management companies are more sensitive to the topic than in the past. However, most continue to have limited familiarity with the specific cyber risks their organisations face.

“Almost all the Board members and non-IT senior management told us how challenging it was to fully understand and explain the specific risks that their firms face”, the FCA says.

Firms in the sample generally lacked Board members with strong familiarity or specific technical cyber-expertise. Many said this was because of their size, low risk-profile or the limited availability of that skillset in the wider independent non-executive director (INED) population.

The FCA notes that some firms viewed the range of consequences from a successful cyber-attack quite narrowly. For instance, in both the asset management and wholesale banking sectors, not all firms appeared to have considered the risk that their firm may be used as conduits to damage other firms or connected infrastructure. Nor had they considered the risk that attacks may be motivated by attempts to commit market abuse.

Beyond the Board and Management Committee, the FCA observed that that the second line of defence – the risk and compliance functions – has limited technical cyber-expertise.

The lack of in-house cyber knowledge results in a high level of reliance, potentially overreliance, on third-party advisors to supplement the firm’s cyber capabilities, the FCA warns. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘3 lines of defence’ model in identifying and managing cyber risks in a timely way.

Further findings concern testing. The FCA says it met firms that had carried out almost no testing of their cyber arrangements at all. The regulator also met others that had run extensive programs covering both staff, such as ethical phishing, and systems, including near-real simulated, so-called ‘red team’ attacks. Testing seemed to have most value where it was part of a considered strategy for managing cyber risks, and less value where the tests appeared piecemeal, with no clear plan on how to address the test’s findings.

Read this next

Executive Moves

Investall hires ex-DriveWealth Steve Cortright as CEO

Investall is an AI-driven mobile trading platform for personal finance and investing that delivers AI-driven trading for thousands of equities and major cryptocurrencies.

Digital Assets

SIX integrates CryptoCompare’s cryptocurrency data feed

SIX will provide digital asset data to its clients via the same delivery channels as its leading reference, pricing, corporate actions, regulatory, tax and ESG data.

Digital Assets

CME Group to launch reference rates and indices on Avalanche (AVAX), Filecoin (FIL), and Tezos (XTZ)

Several leading crypto exchanges and trading platforms will provide pricing data for these new benchmarks, starting initially with Bitstamp, Coinbase, Gemini, itBit, Kraken, and LMAX Digital.

Technology

OneConnect launches operation in ADGM further expanding in Middle East

OneConnect has launched its regional operations in Abu Dhabi Global Market (ADGM), the leading international financial centre of the capital of the UAE, after having worked together on the creation of the ADGM Digital Lab which was launched in April 2021. The ADGM Digital Lab is a marketplace and industry sandbox to encourage the development […]

Industry News

Bitso powers crypto into Via’s payroll platform as remote work triples by 2027

“We are also allowing companies to hire international talent without worrying about administrative issues.”

Retail FX

Vantage partners with FinaCom for external dispute resolution and up to €20,000 protection per client

Vantage has joined the Financial Commission (FinaCom) as a member, thus gaining access to the external dispute resolution body’s range of services and membership benefits, including the unbiased resolution process facilitated by FinaCom, and the protection of up to €20,000 per client, covered by the FinaCom’s compensation fund.

Digital Assets

LMAX Digital onboards Bryan Christian and Cassandra Cox to lead sales

Institutional cryptocurrency exchange LMAX Digital continues to undergo a series of changes in its top ranks as it continues to build its presence globally. Two industry veterans, Bryan Christian and Cassandra Cox, have joined the group as its newest sales directors in Europe and USA.

Digital Assets

Cake DeFi introduces Ethereum Staking with 5% returns

Cake DeFi, a Singapore-based DeFi platform, is launching its Ethereum (ETH) staking service for retail and institutional customers.

Retail FX

FX trading rebounds 405pct at Saxo Bank in September

In a volatile market driven by Russia-Ukraine headlines, FX trading volumes through Saxo Bank have rebounded strongly in September to the highest level in three months.

<