Tim Wright, Partner, Fladgate LLP (twright@fladgate.com)
The FCA has published a report[1] setting out industry insights into cyber security. The report is based on insights and learnings from over 175 firms drawn from across the financial sector contributing ideas and experiences. Firms are invited to participate on a sub-sectoral basis, with the FCA facilitating separate ‘cyber coordinated groups’ or ‘CCGs’ across fund management, investment management, insurance, retail banking, and retail investments and lending. Two additional CCGs covering venues and benchmark administrators, and brokers and principal trading firms, are to be added for 2019.
The report is particularly intended to assist smaller firms which generally have less cyber capability and maturity as compared with the larger firms. It is not FCA guidance and does not replace the need for firms to implement the systems and controls needed to comply with the FCA’s regulatory requirements, and should be read in conjunction with existing guidance from the National Cyber Security Centre (NCSC)[2], and used alongside existing frameworks such as ISO27001/2 or the National Institute of Standards and Technology’s Cybersecurity Framework[3].
The following topics are covered by the report:
Lessons learnt and suggested best practices include:
The FCA encourages all firms to consider the insights set out in the report as they may be useful in terms of their own cyber resilience. Insights from CCGs are shared with the other financial authorities, including the Bank of England and the NCSC, and help shape NCSC advice and guidance. The FCA is focused on increasing levels of cyber resilience in the financial industry and sharing information is a vital part of this effort.
Cyber and data security is often overlooked in the context of supply-chain contracts, especially where the processing or hosting of data is not front and centre in terms of the scope, but is an ancillary function of the service provided. Firms which have not already done so should undertake an analysis of relevant language in existing contracts (e.g. required standards, breach notification, roles and responsibilities, limits of liability and indemnification) as well as ensuring that procurement processes, checklists, forms and templates are amended for future use, and response plans and processes aligned to reflect these requirements. Related to this, the management of the contracts themselves (both within the enterprise and by the relevant counterparties) should also be reviewed since they often contain trade secrets and other confidential information.
[1] https://www.fca.org.uk/publication/research/cyber-security-industry-insights.pdf
[2] https://www.ncsc.gov.uk/section/advice-guidance/all-topics
[3] https://www.nist.gov/cyberframework