Out-Law / Your Daily Need-To-Know

Tyrie bemoans 'opaque' nature of oversight of cyber risk in financial services

Out-Law News | 24 Mar 2017 | 4:52 pm | 2 min. read

A UK parliamentary watchdog has called on the UK chancellor to clarify how oversight of cyber risk in financial services is provided for in practice after expressing concern that the lines of responsibility and accountability for reducing such threats are "opaque".

Details of the request are contained in newly published letters which were exchanged earlier this year between Andrew Tyrie MP, chair of the House of Commons Treasury Select Committee, and chancellor Philip Hammond, on the topic of cybersecurity in financial services.

Late last year, Tyrie said the UK should consider reorganising its governance of cyber risk in financial services so that there is "a single point of responsibility".

In a letter to Tyrie, Hammond said (2-page / 1.15MB PDF) that "action to improve the cyber resilience of the UK finance sector is well-coordinated" between the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and the government.

"[The Treasury] chairs a director-level group which oversees work on cyber between the financial authorities, Cabinet Office, the NCSC (National Cyber Security Centre), and the National Crime Agency," Hammond said. "This is supported by a deputy director and working level groups. This governance framework provides a single point to address cyber issues in the finance sector and prioritise a work programme across relevant authorities and agencies."

However, in his response, Tyrie described the lines of accountability as "opaque" (1-page / 500KB PDF) and asked for clarity on how the system described by Hammond works in practice.

Tyrie said: "It is unclear whether the director or governance framework takes precedence as the single point of the responsibility. I would be grateful if you could provide clarity on this. I would also be grateful if you could clarify what proportion of the director's time is related to cyber risk in the financial services sector, and what power they have to instruct GCHQ and the NCSC to allocate resources and funding to particular tasks in this field."

Tyrie also asked Hammond to explain whether and to what extent the director is obliged to respond to requests from the regulators, and what duty they are under to explain their work to parliament.

In a statement issued alongside the publication of the letters, Tyrie said: "The chancellor has said that both a director-level group and a 'governance framework' provide a single point to address cyber issues in the finance sector. But who is in charge? Is it the director or does the framework take precedence? Who is he or she? A headless framework scarcely inspires confidence."

"The problem with such committees and frameworks is that all too often they only get the attention they deserve after a crisis – when it’s too late. This must not be permitted to happen in the case of financial cyber risk. It is essential that the intelligence community, regulators and wider government are coordinated in making sure that financial cyber crime has a high priority, and is not subordinate to other work. Such a lack of coordination will inevitably lead to greater opportunities for criminals to exploit vulnerabilities in the banking industry’s IT systems. They are already under frequent attack," he said.

Tyrie said the creation of a single point of responsibility for cyber risk in the financial services sector "is now required". A single official should be accountable and report to a government minister, he said.