Cyber security: new FCA report on industry insights

Tim Wright, Partner, Fladgate LLP (twright@fladgate.com)

The FCA has published a report[1] setting out industry insights into cyber security. The report is based on insights and learnings from over 175 firms drawn from across the financial sector contributing ideas and experiences. Firms are invited to participate on a sub-sectoral basis, with the FCA facilitating separate ‘cyber coordinated groups’ or ‘CCGs’ across fund management, investment management, insurance, retail banking, and retail investments and lending. Two additional CCGs covering venues and benchmark administrators, and brokers and principal trading firms, are to be added for 2019.

The report is particularly intended to assist smaller firms which generally have less cyber capability and maturity as compared with the larger firms. It is not FCA guidance and does not replace the need for firms to implement the systems and controls needed to comply with the FCA’s regulatory requirements, and should be read in conjunction with existing guidance from the National Cyber Security Centre (NCSC)[2], and used alongside existing frameworks such as ISO27001/2 or the National Institute of Standards and Technology’s Cybersecurity Framework[3].

The following topics are covered by the report:

• Governance
• Identification
• Protection
• Detection
• Situational Awareness
• Response and Recovery
• Testing

Lessons learnt and suggested best practices include:

1. Good governance requires a top-down approach, with cyber risk clearly parked on the executive agenda, with management information and risks clearly and simply articulated in a manner which relates to the day-to-day business activities of staff and executives, such as financial risk and brand damage.
2. One view is the wrong view; a view drawn from multiple perspectives across the enterprise is needed to build a complete picture of the assets to be protected, combining outputs from information asset management, system asset management and business services, change management records, vulnerability scans, anti-virus management consoles and other sources.
3. When building a multi-dimensional view, don’t overlook suppliers, partners and other third parties. And, in order to protect assets appropriately, enterprises should ensure that appropriate cyber security contractual language, including the right to audit, is included in relevant supply-chain contracts. Older contracts should be reviewed and, as needed, amended to bring them in line with the desired approach.
4. Vulnerability assessments should include cloud and mobile technologies, as well as on-premise solutions. Not all vulnerabilities can be fixed, e.g. some legacy systems, in which case alternative controls are needed to mitigate the risk. Fixes for other vulnerabilities should be prioritised with critical assets tackled first. Then, incorporate cyber security-by-design into system development and change management cycles.

Information sharing

The FCA encourages all firms to consider the insights set out in the report as they may be useful in terms of their own cyber resilience. Insights from CCGs are shared with the other financial authorities, including the Bank of England and the NCSC, and help shape NCSC advice and guidance. The FCA is focused on increasing levels of cyber resilience in the financial industry and sharing information is a vital part of this effort.

Contract review

Cyber and data security is often overlooked in the context of supply-chain contracts, especially where the processing or hosting of data is not front and centre in terms of the scope, but is an ancillary function of the service provided. Firms which have not already done so should undertake an analysis of relevant language in existing contracts (e.g. required standards, breach notification, roles and responsibilities, limits of liability and indemnification) as well as ensuring that procurement processes, checklists, forms and templates are amended for future use, and response plans and processes aligned to reflect these requirements. Related to this, the management of the contracts themselves (both within the enterprise and by the relevant counterparties) should also be reviewed since they often contain trade secrets and other confidential information.

[1] https://www.fca.org.uk/publication/research/cyber-security-industry-insights.pdf

[2] https://www.ncsc.gov.uk/section/advice-guidance/all-topics

[3] https://www.nist.gov/cyberframework