Out-Law News | 26 Sep 2016 | 4:10 pm | 3 min. read
In a speech at a cybersecurity event hosted by the Financial Times, FCA director of specialist supervision Nausicaa Delfas said "cyber resilience" is a priority for the regulator.
According to Delfas, the FCA has so far this year received 75 reports from firms that they have experienced a cyber attack. In comparison, just five such reports were filed by firms throughout the whole of 2014, she said.
"Whilst this significant increase indicates more attacks are occurring, this may also suggest better detection and greater reporting to us on the part of firms, which we very much encourage," Delfas said.
Information law and cyber risk expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "As financial institutions prepare for the multiple reporting obligations that they will have to manage once the EU's Network and Information Security (NIS) Directive and General Data Protection Regulation are in force alongside their existing obligations to the FCA, it would be very helpful for the FCA and its counterparts at the ICO and in due course the regulatory body appointed under NIS to explore how they might standardise at least some of the information required to be reported, and how co-ordination between the bodies in relation to reporting of cyber risk by firms could best be improved."
"It would do the industry a huge disservice to require or encourage firms to share threat intelligence, as well as reporting material breaches, on the one hand while not devoting sufficient resources to enable effective inter-agency co-operation on the other," he said.
To address cyber risk, financial firms need to embed a "security culture" throughout their organisation, from the board level down, Delfas said.
"We are looking for firms to have good governance around cyber security in their firms – by this I mean senior management engagement, responsibility – and effective challenge at the board," Delfas said. "We are aware firms have found it difficult to identify the right people for these roles – but much progress has been made, and I am encouraged by the engagement we have seen on this issue by senior management."
The FCA also expects firms to identify and put in place appropriate protections for "key assets", Delfas said. They should also have "adequate detection capabilities", she said.
"Recent cases show that attacks have happened and are lurking in systems for a long time before they are detected," Delfas said. "How good is your threat intelligence? There is no shortage of innovation in cyber protection – of those innovations, I would count positive developments in DDos (distributed denial of service) defence and new technologies such as website re-scripting as among the most important. But these really are just the tip of the iceberg. Others are developing artificial intelligence systems which can scour corporate networks for vulnerabilities and patch them automatically. This is all good – but it’s not a sliver bullet."
Delfas also stressed the need for financial firms to "have systems and controls to ensure they can carry on in the event of an unforeseen interruption, and to be able to recover from interruptions, preserving essential data".
Businesses should share information on cyber risk, Delfas said. Firms are otherwise obliged to report "material breaches" to it under the FCA's regulatory framework, she said.
In her speech Delfas addressed the growing problem of ransomware and also said that firms cannot outsource their cyber and data security obligations when using cloud storage providers.
"As more firms move to the cloud, they really do need to be aware that they adopt the cloud provider’s threat profile, as well as their own," Delfas said. "Outsourcing key services to cloud vendors plainly brings large cost and efficiency benefits – we fully understand that – but firms must be on top of associated risks. A strong relationship with cloud providers (and other outsourcing partners) is critical to managing this change in the threat profile. Firms need to understand how their data is protected."
"The FCA recently issued cloud guidance to firms and I encourage everyone to read this – it clearly lays out our view on this subject. Whilst you can outsource a service, and realise the benefits that the cloud undeniably brings, you cannot outsource the associated responsibility for the risks. These are yours to manage, whether you’re a start-up or an established multi-national," she said.
On cloud security, Daulitch of Pinsent Masons said: "There are significant differences in the level of transparency and quality of engagement offered by the leading vendors, and these factors should be an important component in firms’ overall risk assessment of vendors."