On March 8, the UK Financial Conduct Authority (FCA) released the publication Cyber security – industry insights. The document compiles insights derived from multiple industry Cyber Coordination Groups (CCGs) run by the FCA since 2017, focused on the theme of improving cybersecurity practices within financial sectors.
Gathering information from over 175 firms, the document discusses and shares recommended practices for protecting companies from cyber threats. A key objective of the document is to help small and medium-sized firms benefit from the experience of larger financial firms and the practices they have implemented to manage cybersecurity risk.
In the document, the FCA provides guidance in six key topic areas. Highlights include:
In the publication, the FCA identifies the need to align cyber governance with business objectives as part of your firm’s broader risk management framework by:
- Ensuring that cyber risk is on the agenda of board members/management teams.
- Educating these groups regarding cyber risk in the context of your firm's business.
- Understanding the threat landscape and its implications to your firm.
- Identifying firm assets that might be a target for malicious actors.
- Using existing industry cyber risk frameworks, including:
- NIST Cybersecurity Framework
- SANS CIS
- National Cyber Security Centre (NCSC) guidance
The FCA recommends identifying the assets your firm needs to protect and how they are linked and managed by:
- Following existing guidance on this topic (e.g., NCSC guidance for GDPR).
- Building a complete picture of your firm’s assets that are in need of protection using multiple sources (e.g., machine/software inventories, vulnerability scans).
- Identifying vendor relationships with a focus on third-party access to your firm’s assets.
- Developing and implementing protection policies, standards, procedures, and controls.
- Investing in long-term staff education instead of generic one-off training sessions.
- Managing vendors and building language into contracts such as the right to audit.
- Using data encryption proportionately with your firm's data classification policy, managing encryption keys carefully.
- Conducting risk assessments, identifying and ranking risks/vulnerabilities, and prioritising the remediation or mitigation of these risks.
The FCA advises firms to monitor for actual and attempted attacks or any misuse of systems by:
- Configuring monitoring systems effectively:
- Collect data from the most appropriate sources.
- Ensure that monitored data is tamper-proof.
- Review configurations and reliability frequently.
- Controlling the risk of insider threat:
- Use specific named accounts.
- Review and monitor privileged access.
- Use data loss prevention tools.
- Use behaviour analytics/alerting.
The FCA urges awareness of emerging threats and issues by:
- Participating in industry forums.
- Learning from the experiences of other firms.
- Preparing for potential incidents by leveraging previous experience.
The FCA advises firms to be prepared to respond to cyber incidents by:
- Building incident response plans:
- Develop “playbooks” for incident analysis, communication, and response.
- Include instructions for assessing effects on critical business services.
- Pre-determine tolerance to system downtime and data loss (“RPO” and “RTO”).
- Testing incident scenarios to determine business impact and assess response planning.
- Being able to conduct investigations using internal staff or specialist external consultants.
The FCA recommends that firms test cyber defences regularly, and continually improve cyber programs with tests to identify vulnerabilities, including:
- Penetration tests
- Phishing simulations
- Vulnerability scans
- Employee password tests
ACA Aponix Guidance
We view the FCA’s Cyber security – industry insights as a welcome contribution to the field of cyber-preparedness. The cybersecurity practices described in the document are aligned with those of other industry regulators as well as the best practice risk frameworks. This document should provide a helpful guide to small and mid-size firms looking to build their cybersecurity programs.
How ACA Can Help
ACA Aponix offers the following solutions that can help your firm protect itself from breaches, or related cybersecurity risk:
- Cybersecurity and technology risk assessments
- Data privacy compliance
- Vendor diligence and management
- Cyber incident response planning
- Phishing testing and cyber awareness training
- Policies, procedures, and governance
- Mock regulatory cyber exams
- Threat intelligence
For More Information
If you have questions, please contact your regular ACA Aponix consultant or email us at firstname.lastname@example.org.