Out-Law / Your Daily Need-To-Know

PSD2 sparks rise in UK reported tech and cyber incidents

Out-Law News | 28 Nov 2018 | 3:52 pm | 4 min. read

The number of outages that financial services firms reported to the UK's Financial Conduct Authority (FCA) more than doubled in a year, according to new data published by the regulator.

Between October 2017 and the end of September 2018, there were 511 technology-related incidents reported to the FCA, up 138% on the same period the year before. The FCA has also reported seeing an 18% increase in the volume of cyber-related incidents reported to it year-on-year.

Of the known root causes for operational incidents reported to the FCA during the period stemmed, a fifth stemmed from "failed IT changes", while 15% resulted from third party failures, it said. The FCA said 60 incidents occurred due to cyber attacks.

Angus McFadyen, an expert in technology law in the financial services sector at Pinsent Masons, the law firm behind Out-Law.com, said: "Outages are a reality – with more on demand access to financial services, and mandated reporting, this is now more publicly visible than ever. We should not automatically criticise firms for outages or higher reporting rates. The impact of each outage on customers will vary greatly and, in some cases, outages will be carried out to protect customers and system integrity, such as when linked to security incidents."

"Some of the greatest outages have been linked to system replacement programmes – these are always challenging and firms have been improving their readiness for adverse events, with there being examples of poor practice in this area before," he said.

The overall increase in incidents reported can largely be attributed to new incident reporting rules taking effect in the payment services market, the regulator said.

Under the second Payment Services Directive (PSD2), which took effect in January this year, payment service providers are obliged to notify regulators of major operational or security incidents they identify "without undue delay". They are also obliged to inform the users of their payment services about such incidents and the measures they are taken to mitigate their adverse effects where the incident has or may have an impact on the financial interests of those users.

Since August in the UK, banks have had to publicly disclose how often they have had to report major operational and security incidents to the FCA.

According to the FCA's data, there were a total of 646 technology- or cyber-related incidents reported to it between October 2017 and September 2018. Of that number, more than half – 336 incidents – were reported by businesses subject to PSD2 since the incident reporting requirements took effect in January this year.

The FCA said, though, that "evidence suggests" that firms that are not subject to the incident reporting requirement under PSD2 "are under reporting" major technology outages and cyber-attacks. It reminded firms "of their obligations to report".

The PSD2 incident reporting rules complement the FCA's general reporting requirements which have applied for much longer. Those rules require regulated financial services firms to disclose to the FCA "anything relating to the firm of which that regulator would reasonably expect notice". The FCA has said those rules encompass a requirement on firms to notify 'material' cyber incidents affecting their firm as soon as they become aware of them.

In a new infographic published by the FCA, the regulator explained when a cyber incident might be deemed 'material' and subject to its reporting rules.

"An incident may be material if: it could or does result in significant loss of data, or the availability or control of your IT systems; it affects a significant number of customers and could result in serious harm to them, such as theft of personal data; it could or does result in someone getting unauthorised access to data and altering it, or; malicious software is present on your information and IT systems," it said.

As well as publishing the data concerning the reported incidents, the FCA also shared the results of a survey of nearly 300 firms which assessed their technology and cyber capabilities.

The FCA said the survey showed there is "a disconnect between firms’ self-assessed strength in change management and our analysis of incidents reported to the FCA".

"We recognise that firms need to make regular changes – of varying size and complexity – to their technology estates, and that from time to time things will go wrong," the FCA said. "However, the responses indicate that some of the concepts set out in [the recent joint operational resilience discussion paper] (such as the identification of important business services and the need to focus on recovery plans and customer communications) are not yet part of all firms’ thinking."

"We will be doing further work over the coming year to assess the sorts of changes, and poor change management practices, which give rise to the incidents reported us," it said.

The survey also identified shortcomings in firms' oversight of third parties.

"Half of firms said that they do not maintain a comprehensive list of all third parties with whom they do business and which access their systems and data," the FCA said. "Without this understanding, it will be difficult for firms to appropriately assess the criticality of third parties, and the subsequent risk to services they provide."

"We recognise the scale of this challenge, particularly at the largest firms. However, the adoption of a risk-based approach to assessing the criticality of each third party and the potential impact caused in an adverse situation is fundamental to resilience," it said.

The FCA also said that firms need to do more to understand their suppliers' abilities to respond to and recover from cyber incidents.

It said: "Nearly all firms described discussing cyber risk with their third parties. However, only 66% of large firms and 59% of smaller firms understood their third parties’ response and recovery plans. These figures drop to 22% and 19% (respectively) when it comes to explicitly including third parties in their own testing plans. We are disappointed with these responses given the wide understanding of the risks third parties pose to firms’ operational resilience, and the number of incidents involving third parties."

In a speech highlighting the data it published and the results of the survey, the FCA's direction of supervision for investment, wholesale and specialist, Megan Butler, explained the importance of managing outage and security incidents properly.

"The FCA does not expect ‘zero-failure’," Butler said. "The true test of the resilience of UK finance is not the absence of incidents. It’s how well incidents are managed."

A new inquiry was recently opened by a committee of MPs in the UK to look into the common causes of bank IT problems and their impact on consumers.