Technology outages in UK financial services sector become more frequent, FCA survey shows

The UK Financial Conduct Authority (FCA) has earlier today posted the results of a survey dedicated to cyber and technology resilience, with the findings pointing to a rising number of tech outages in the financial services sector.

The survey covered 296 firms and assessed their technology and cyber capabilities. Firms self-assessed their capabilities and the FCA then analyzed the responses for each firm and across sectors.

Cyber-attacks show no sign of decreasing in volume. They accounted for 18% of the operational incidents reported to the FCA between October 2017 and September 2018. Technology outages in the financial services sector are becoming more frequent. The number of such incidents reported to the FCA has increased by 138% in the year to September 2018.

Most firms ranked cyber resilience as their biggest concern. Firms’ responses highlight cyber weaknesses in 3 areas: people, third party management, and protecting their key assets. Nearly 80% of respondents struggle to maintain a view of what information they hold and of their third parties. Firms also noted challenges in identifying and managing their high-risk staff and then educating those employees with access to critical systems or sensitive data, who are more likely to be targeted by cyber criminals.

Under Principle 11, the FCA expects firms to report major technology outages and cyber-attacks to it. Evidence, however, suggests that firms are under reporting and the FCA reminds all firms of their obligations to report.

Regarding detection of cyber-attacks, only the largest firms report that they have automated systems to spot potential cyber-attacks and support their subsequent response. Smaller firms are mainly reliant on manual processes, or have no processes at all.

Change management is the top root cause for issues reported to the FCA in the past year. The regulator notes that there is a disconnect between firms’ self-assessed strength in change management and the FCA analysis of incidents reported to it. This indicates that poor change management caused 20% of incidents reported to the FCA between October 2017 and September 2018.

Third-party failure is ranked second among root causes. Nearly all firms described discussing cyber risk with their third parties. However, only 66% of large firms and 59% of smaller firms understood their third parties’ response and recovery plans. These figures drop to 22% and 19% (respectively) when it comes to explicitly including third parties in their own testing plans.

Key areas of focus that the FCA has identified, such as third party management and change management, will be considered in its supervisory plans for 2019.

Let’s recall that, in July this year, the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), presented their joint view on the need for the financial sector to boost its operational resilience. The supervisory authorities envisage that boards and senior management have to assume that individual systems and processes that support business services will be disrupted, and focus on back-up plans, responses and recovery options.