In a speech made this week, Megan Butler from the Financial Conduct Authority (FCA) outlined the regulator’s cyber expectations for registered firms. Butler discussed the state of the industry with respect to technology and cybersecurity risk and stated that the FCA will take action if they see “inappropriate responses and inappropriate protection being taken”.
The speech noted that one-third of UK firms are not performing regular risk assessments and that under-reporting of incidents to the regulator is still a problem, as all firms should be reporting material cyber incidents to the FCA under Principle 11. Butler also noted the importance of third-party management, board level responsibility, incident response and staff awareness programs.
Based on the results of the FCA’s survey of 296 financial services firms during 2017-2018, Cyber and Technology Resilience: Themes from cross-sector survey 2017-18, Butler stated that the FCA sees “no immediate end in sight to the escalation in tech and cyber incidents affecting UK financial services”.
Among the FCA’s survey findings:
- From the start of the year to October, there was a 138% increase in technology outages reported to the FCA. Of these, 18% of reported incidents were cyber-related.
- Nearly half of firms do not upgrade or retire old IT systems in a timely manner.
- Only 56% of firms say they can measure the effectiveness of their information assets controls.
In the speech, Butler expressed particular concern regarding the vulnerabilities appearing regarding key assets, information, and detection. The regulator promised an escalation of focus on this and warned firms who fail to establish the necessary tolerances against these risks of regulatory response.
ACA Aponix Guidance
ACA Aponix recommends taking the following measures regarding the FCA warning:
- Ensure that your firm has a strong regulatory cybersecurity program in place, including risk assessment, vendor diligence, network testing, staff awareness, and governance programming.
- Continually monitor regulator guidelines, and assess your firm’s compliance with these guidelines.
- Add cybersecurity and regulatory staff education as a regular and continuing element in company functioning.
How ACA Can Help
ACA Aponix offers the following solutions that can help your firm protect itself from cybersecurity risk:
- Cybersecurity and technology risk assessments
- GDPR compliance assistance
- CCPA compliance assistance
- Phishing testing and cyber awareness training
- Policies, procedures, and governance
- Vendor diligence and management
- Cyber incident response planning
- Threat intelligence