Out-Law / Your Daily Need-To-Know

Financial services firms in the UK should 'reward' staff that identify cyber attacks, says regulator

Out-Law News | 25 Apr 2017 | 11:49 am | 3 min. read

Financial services firms should "reward" employees that identify cyber attacks, an executive director at the UK's Financial Conduct Authority (FCA) has said.

Speaking at a Financial Information Security Network event in Luton on Monday, Nausicaa Delfas said firms need to do more than rely on company policies for training staff on cyber risks.

"Policy is important – it is the articulation of what you as a business will be doing – but for staff it’s a corporate piece of paper that is easily forgotten," Delfas said. "We need to empower staff to make secure decisions themselves."

"By articulating the requirements, the rationale, and critically the impact of non-conformance, we may be able to start changing mind sets and engendering a secure mentality. By taking staff on a journey and working with them to help them become security focused individuals, we may find that we reap better rewards and improve our collective capabilities. Examples of this include: introducing fake phishing scams, educating staff who click on them, reward those who avoid/spot attacks, take further action on those who persistently do not. We have been impressed with the number of firms who have started to adopt such approaches," she said.

In her speech Delfas gave examples of the cyber risks firms operating in the UK's financial services sector have faced in the past year and urged firms not to pay hackers that use ransomware to lock them out of access to systems and data.

"Ransomware continues to be a focus for criminal groups, offering an off-the-shelf capability to monetise malware whether distributed in a ‘scattergun’ approach (DDOS) or specifically directed at firms," Delfas said. "Both models have benefits, and both yield results."

"We have seen criminal groups infiltrate networks, carry out reconnaissance and plant ransomware directly onto pre-determined network assets to cause the maximum damage, and in some rare cases, backups have also been destroyed by the same attacker. By removing all possible recovery elements, the organisation is left with a fairly binary choice: pay or lose the data … that’s a pretty effective business model if you are the criminal… This demonstrates the criticality of a good backup strategy," she said.

"We expect firms to maintain online and offline backups to ensure that data can be restored without the need to pay a ransom – I have heard of some institutions having bitcoin accounts to pay ransoms – but this will simply encourage more criminality and carries no guarantee that the attacker will actually release the data," she said.

Delfas said that an increasing number of cyber attacks are being reported to the FCA by firms. In 2014 the FCA received five reports of cyber attacks and in 2015 there were 27 such cases, but in 2016 the FCA received 89 reports of cyber attacks, she said.

Firms can avoid becoming victims of cyber attacks if they "get the basics right". Implementing the UK government's '10 steps' to cybersecurity would "eliminate around 80% of the cyber threat firms are struggling to manage", she said.

Non-executive directors and investors also have a role to play in helping firms to improve their cybersecurity, Delfas said.

"There is also the role of the Non Executive Directors (NEDs) – using them to help to share experiences from other businesses, and to ask challenging questions of their board colleagues, and of the senior leaders within an organisation," Delfas said. "In 2014 the UK Government released guidance for NEDs on the types of questions that should be asked, and we very much support this advice. NEDs should be able to satisfy themselves that an organisation is managing cyber risk effectively; the Institute of Directors specifically calls for NEDs to satisfy themselves 'that systems of risk management are robust and defensible'." 

"We are seeing the emergence of a number of institutional investors now questioning boards as to how they effectively manage this risk, which in turn is driving increased focus in the boardroom. We would encourage investors to ask questions about cyber defences, to use a firm’s cyber maturity as a key indicator of resilience, and to push firms to improve in this space. We have seen how cyber can have an impact on a firm beyond the operational disruption caused, extending into equities pricing, and harming the balance sheet. It’s a key consideration and we will be considering how investors can be better equipped to ask the right questions," she said.