Following the recent cyber-attack on the UK NHS, the FCA established on its website a cyber-resilience web page. On this web page the FCA summarises its requirements in the following terms:
“Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets – hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.”
Further “soft” guidance has been given in a speech1 by Nausicaa Delfas, the FCA Executive Director. One of the key points in this speech was that firms had to get the ‘basics’ right. Many firms believe that they are, but the regulator feels that the reality is different pointing to the 2016 Verizon Data Breach Investigations Report that found that ten vulnerabilities accounted for 85% of successful breaches in an analysis of 2,260 data breaches and 64,199 security incidents from 61 countries.
Firms conducting rigorous patch management and getting ‘cyber-basics’ right are key for the FCA which argues that firms properly implementing schemes such as ‘Cyber Essentials’ or the ‘10 steps to cyber security’ could eliminate about 80% of the cyber-threat they face. The FCA also wants firms to consider specific cyber-risks, urging them to carrying out robust and comprehensive risk assessments focussed on the impact of a distributed denial-of-service (DDoS) attack on their systems.
Whilst accepting that some IT concentration may be inevitable (with iCloud for example) the FCA is also looking for firms to consider concentration risk when subscribing to a given service. In relation to outsourcing to the ‘cloud’ and other third-party IT services the FCA issued finalised guidance2 last year which illustrated ways in which the regulator’s rules could be complied with. The European Banking Authority issued a consultation on draft guidance on the use of cloud service providers in May this year. The consultation closes on 18 August 2017.
Awareness and education are also critical components for firms. In her speech Nausicaa Delfas discussed the need for firms to stop using a staff “policy” as the sole baseline for security training on the basis that staff view this as a corporate piece of paper that is easily forgotten. The FCA has been impressed with firms that have adopted approaches that have taken staff on a journey and have helped them become security focused individuals. Such approaches have included: introducing fake phishing scams, educating staff who click on them, rewarding those who avoid/spot attacks, taking further action on those who persistently do not.
Nausicaa Delfas also mentioned in her speech that there was a role for non-executive directors who should be able to satisfy themselves that their firm is managing cyber-risk effectively. The Institute of Directors specifically calls for non-executive directors to satisfy themselves “that systems of risk management are robust and defensible.”