In a paper published last month,[i] the UK’s Financial Conduct Authority (“FCA”) set out various cybersecurity insights gleaned from the work of cyber coordination groups (“CCGs”) the regulator established in 2017. The publication of these insights—along with previous communications from the FCA and Bank of England—show that the cybersecurity practices of financial services firms operating in the UK are under the regulatory microscope as the cyber threat continues to grow. Indeed, in a November 2018 speech by Megan Butler (the FCA’s Executive Director of Supervision), she said: “On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation of tech and cyber incidents that are affecting UK financial services.”
This client alert summarizes the insights from the recent FCA paper alongside longer-term themes. It also provides our suggestions for how financial services firms should proactively equip themselves to respond to increased regulatory scrutiny—including for a full-blown enforcement investigation—of their systems and controls in this area.
The FCA Paper
To date, the FCA has brought together over 175 financial services firms to create CCGs representing the fund management, investment management, insurance, retail banking, and retail investment and lending sectors. Later in 2019, it will be establishing two new CCGs for trading venue and benchmark administrators, as well as brokers and principal trading firms. The FCA paper shared practices and insights from the existing CCGs on the following topics:
- Identification of information assets
- Protection of information assets
- Being alert to emerging threats and ready to respond
- Testing and refining defences
Financial services firms must take steps to put cyber risk on the agenda of the board and senior management by educating them on the topic and providing them with sufficient information to properly understand and engage with the firm’s cyber risk. This includes providing tailored workshops that use case studies and/or real incidents reported in the media, as well as presenting high-quality management information to executives in terms they can understand. Financial services firms and their boards are also encouraged to create profiles for the various types of malicious actors who might target the firm (from hostile nation states to amateur hackers), and to consider what methods such actors might use to seek to achieve their ends.
A practical way to achieve better governance of cyber issues is to recruit “champions” in the business who understand cyber and can help to bridge any gaps between the business and its technology and security functions. As reported previously by the FCA (in a November 2018 survey report[ii]), firms subject to the Senior Managers Regime[iii] tend to have better structures in place for allocating responsibility and ownership of the firm’s cybersecurity strategy, but smaller firms outside the regime should consider nominating an individual at the board or senior level to have responsibility for technology resilience. These requirements tie into the “data protection by design and default principle,” one of the fundamental principles under the General Data Protection Regulation (“GDPR”), which requires all controllers of personal data to put in place technical and organizational measures to integrate necessary safeguards into the processing of all personal data, amongst other obligations.
Identification of information assets
Knowing what information the firm possesses – and the linkages that exist between different internal and external management systems – is crucial. The paper encourages firms to use existing guidance available on GDPR security outcomes[iv] to develop a list of information assets, and to consider assets from multiple perspectives and data sources. It also suggests carrying out a business impact analysis to identify those business services that need the most protection to ensure continuity. In this regard, it is crucial to understand all of the firm’s dependencies on suppliers and other third-party partners.
Protection of information assets
Firms need to make continuous and joined-up efforts to protect the continuity of their business services, including by investing in a long-term cyber education and awareness program across the business, and by deploying training to those individuals who have access to critical systems. The paper includes suggestions on how to manage third-party suppliers via contractual language and audit rights – in line with the GDPR requirement to enter into compliant written agreements with third parties with the aim of safeguarding personal data – and for following a risk-based approach to the use of encryption. It also suggests using existing security configuration standards like the Center for Internet Security Benchmarks[v] or the National Cyber Security Centre[vi] secure configuration guidance[vii] as a base.
Cybersecurity should be made part of the firm’s change management[viii] processes. In this regard, the FCA’s November 2018 survey report indicated that poor IT change management was responsible for 20% of the operational incidents that were reported to the FCA by firms between October 2017 and September 2018. The survey found a significant disconnect between firms’ self-assessments of their IT change management processes (which were generally positive) and the reality of the FCA’s data.
The paper’s focus in this area was on tackling the “insider threat” and putting an effective monitoring regime in place. This can be achieved via the firm’s identity and access management processes, heightened monitoring of critical systems and the use of network behavior monitors and analysis.
Where an attack or other incident is detected, remember that firms have a duty under Principle 11[ix] to report all major technology outages and cyber-attacks to the FCA (and there is a similar Fundamental Rule (“FR”) 7 duty to the Prudential Regulation Authority (“PRA”)). If an incident could have a significant adverse effect on the firm’s reputation, and/or could affect the firm’s ability to continue to provide adequate services to its customers, then the notification must be made immediately.[x] These duties/obligations are in addition to the stringent requirements under GDPR to report breaches which pose a risk to the “rights and freedoms” of individuals to the Information Commissioner’s Office (“ICO”) within 72 hours of becoming aware of the personal data breach and, in some cases, to the individuals themselves, without undue delay.
Being alert to emerging threats and ready to respond
Firms can stay up-to-date on emerging threats and issues by participating in cyber forums and should also incorporate the sharing of information and intelligence into their incident response plans. Another beneficial practice is to carry out tabletop exercises using examples of cyber incidents that have affected other businesses and using the output of these exercises to continuously refine and improve incident response plans. Firms may even wish to simulate an incident investigation process from start to finish as part of their training program and consider establishing and testing communications protocols with key internal decision makers and external stakeholders.
Testing and refining defences
Firms are urged to create a comprehensive framework for testing and refining cyber defences, by reviewing exceptions and non-conformities and performing root-cause analysis of incidents and near-misses, as well as by testing employees’ passwords against exposed credential dumps and making it easier for staff to report phishing or other suspicious events. It is also suggested that firms use a variety of other means to flush out security vulnerabilities, such as penetration testing, phishing simulations, vulnerability scanning and red/purple teaming.
Proactive measures to take
Cyber incidents are inevitable, and the FCA does not expect firms to be able to guarantee a “zero failure” system. However, the FCA is pursuing enforcement investigations more frequently than it has in the past, and it would be prudent for firms to take note of the regulator’s increased attention. Over the past few years, there has been a steady supply of papers, speeches and informal guidance on cyber issues from the regulators. There has also been enforcement activity, notably the Final Notice issued in respect of Tesco Bank in October 2018 (imposing a financial penalty of £16.4 million) and the Final Notices issued in respect of the Royal Bank of Scotland (“RBS”) in November 2014 (where the FCA imposed a financial penalty of £42 million and the PRA imposed an additional penalty of £14 million). The RBS case focused on IT resilience and operations, while the Tesco Bank case concerned a cyber breach – thus demonstrating that the UK regulators will bring enforcement actions across the spectrum of technology issues.
The FCA’s and PRA’s remits to carry out enforcement investigations run parallel to the enforcement capability of the ICO. The ICO has a mandate to investigate and impose sanctions on businesses that fail to put appropriate safeguards in place to protect personal data, as well as those that fail to meet their obligations to report cybersecurity incidents (which impact upon the rights and freedoms of individuals) to the ICO. As has been widely publicized, the monetary penalties under GDPR are significant: regulators have a mandate under GDPR to issue fines of up to 20 million Euros or 4% of annual global turnover, whichever is higher. A recently published memorandum of understanding between the FCA and the ICO illustrates their commitment to collaborate in enforcement investigations. It also sets out principles on information sharing and their joint approach to enforcement, where they each have a remit.[xi]
Firms should ensure that their internal threat detection, communications, and escalation procedures are primed to respond to a breach from a technical and business continuity point of view, while also ensuring that they will satisfy the timely notification requirements imposed by Principle 11, FR 7 and related notification rules. One way to do this would be via regular mock scenario planning or tabletop exercises to test how the firm would react to a cyber breach, and whether there are any gaps or flaws in the existing breach response plan and related protocols.
Other proactive measures to consider include:
- commissioning a cyber-focused Governance review;
- arranging training for the board and/or senior management, to ensure that they understand the cyber risks facing the business, as well as their role in protecting the firm and its customers from such risks; and/or
- carrying out a third-party/outsourcing review into cyber-interconnectivity (i.e. the dependencies between internal systems and those maintained by, or otherwise dependent on, third parties) and whether the firm has sufficient operational and legal protections in place across its entire cyber “eco system.”
Such steps will help position the firm to respond appropriately and to defend any subsequent regulatory or private actions flowing from an incident.
[iii] The regulatory reforms introduced in 2016 aimed at creating a more direct form of accountability for senior management of firms and governing the vetting and approval of individuals for senior management roles. It currently applies to all deposit takers, investment firms and insurers regulated by the FCA and PRA, and from 9 December 2019 it will extend to all financial services firms that are solo-regulated by the FCA.
[iv] See here: https://ico.org.uk/for-organisations/security-outcomes/ and here: https://www.ncsc.gov.uk/guidance/gdpr-security-outcomes.
[vi] An agency within the UK government that provides advice and support for the public and private sector on how to manage computer security threats.
[viii] The structured approach that an organization takes in order to move from its current state to a desired future state (e.g. as part of a corporate restructure or in response to changes in regulatory requirements).
[ix] One of the FCA’s Principles for Businesses. Principle 11 requires a firm to deal with its regulators in an open and cooperative way, and to disclose
to the FCA appropriately anything relating to the firm of which the FCA would reasonably expect notice.
[x] See SUP 15.3.1R. https://www.handbook.fca.org.uk/handbook/SUP/15.pdf