FCA Warns Firms Against Inadequate ​​​​Cybersecurity Protection

November 30, 2018

In a speech made this week, Megan Butler from the Financial Conduct Authority (FCA) outlined the regulator’s cyber expectations for registered firms. Butler discussed the state of the industry with respect to technology and cybersecurity risk and stated that the FCA will take action if they see “inappropriate responses and inappropriate protection being taken”.

The speech noted that one-third of UK firms are not performing regular risk assessments and that under-reporting of incidents to the regulator is still a problem, as all firms should be reporting material cyber incidents to the FCA under Principle 11. Butler also noted the importance of third-party management, board level responsibility, incident response and staff awareness programs.

Based on the results of the FCA’s survey of 296 financial services firms during 2017-2018, Cyber and Technology Resilience: Themes from cross-sector survey 2017-18, Butler stated that the FCA sees “no immediate end in sight to the escalation in tech and cyber incidents effecting UK financial services”.

Among the FCA’s survey findings:

  • From the start of the year to October, there was a 138% increase in technology outages reported to the FCA. Of these, 18% of reported incidents were cyber-related.
  • Nearly half of firms do not upgrade or retire old IT systems in a timely manner.
  • Only 56% of firms say they can measure the effectiveness of their information assets controls.

In the speech, Butler expressed particular concern regarding the vulnerabilities appearing regarding key assets, information, and detection. The regulator promised an escalation of focus on this and warned firms who fail to establish the necessary tolerances against these risks of regulatory response.

ACA Aponix Guidance

ACA Aponix recommends taking the following measures regarding the FCA warning:

  • Ensure that your firm has a strong regulatory cybersecurity program in place, including risk assessment, vendor diligence, network testing, staff awareness, and governance programming.
  • Continually monitor regulator guidelines, and assess your firm’s compliance with these guidelines.
  • Add cybersecurity and regulatory staff education as a regular and continuing element in company functioning.

How ACA Can Help

ACA Aponix offers the following solutions that can help your firm protect itself from cybersecurity risk:

For More Information

If you have any questions or would like more information about ACA's solutions and services, please contact Kassie Canning, your ACA Aponix consultant, or email us at info@acaaponix.com