Regulatory Cyber Alert: UK Financial Conduct Authority Releases Cybersecurity Insights

March 15, 2019

On March 8, the UK Financial Conduct Authority (FCA) released the publication Cyber security – industry insights. The document compiles insights derived from multiple industry Cyber Coordination Groups (CCGs) run by the FCA since 2017, focused on the theme of improving cybersecurity practices within financial sectors.

Gathering information from over 175 firms, the document discusses and shares recommended practices for protecting companies from cyber threats. A key objective of the document is to help small and medium-sized firms benefit from the experience of larger financial firms and the practices they have implemented to manage cybersecurity risk.

In the document, the FCA provides guidance in six key topic areas. Highlights include:

Governance

In the publication, the FCA identifies the need to align cyber governance with business objectives as part of your firm’s broader risk management framework by:

  • Ensuring that cyber risk is on the agenda of board members/management teams.
  • Educating these groups regarding cyber risk in the context of your firm's business.
  • Understanding the threat landscape and its implications to your firm.
  • Identifying firm assets that might be a target for malicious actors.
  • Using existing industry cyber risk frameworks, including:
    • NIST Cybersecurity Framework
    • ISO27001/2
    • SANS CIS
    • National Cyber Security Centre (NCSC) guidance

Identification

The FCA recommends identifying the assets your firm needs to protect and how they are linked and managed by:

  • Following existing guidance on this topic (e.g., NCSC guidance for GDPR).
  • Building a complete picture of your firm’s assets that are in need of protection using multiple sources (e.g., machine/software inventories, vulnerability scans).
  • Identifying vendor relationships with a focus on third-party access to your firm’s assets.

Protection

The FCA urges protecting the confidentiality, integrity, and availability of business services from cyber incidents by:

  • Developing and implementing protection policies, standards, procedures, and controls.
  • Investing in long-term staff education instead of generic one-off training sessions.
  • Managing vendors and building language into contracts such as the right to audit.
  • Using data encryption proportionately with your firm's data classification policy, managing encryption keys carefully.
  • Conducting risk assessments, identifying and ranking risks/vulnerabilities, and prioritising the remediation or mitigation of these risks.

Detection

The FCA advises firms to monitor for actual and attempted attacks or any misuse of systems by:

  • Configuring monitoring systems effectively:
    • Collect data from the most appropriate sources.
    • Ensure that monitored data is tamper-proof.
    • Review configurations and reliability frequently.
  • Controlling the risk of insider threat:
    • Use specific named accounts.
    • Review and monitor privileged access.
    • Use data loss prevention tools.
    • Use behaviour analytics/alerting.

Awareness

The FCA urges awareness of emerging threats and issues by:

  • Participating in industry forums.
  • Learning from the experiences of other firms.
  • Preparing for potential incidents by leveraging previous experience.

Responsiveness

The FCA advises firms to be prepared to respond to cyber incidents by:

  • Building incident response plans:
    • Develop “playbooks” for incident analysis, communication, and response.
    • Include instructions for assessing effects on critical business services.
    • Pre-determine tolerance to system downtime and data loss (“RPO” and “RTO”).
  • Testing incident scenarios to determine business impact and assess response planning.
  • Being able to conduct investigations using internal staff or specialist external consultants.

Testing

The FCA recommends that firms test cyber defences regularly, and continually improve cyber programs with tests to identify vulnerabilities, including:

  • Penetration tests
  • Phishing simulations
  • Vulnerability scans
  • Employee password tests

ACA Aponix Guidance

We view the FCA’s Cyber security – industry insights as a welcome contribution to the field of cyber-preparedness. The cybersecurity practices described in the document are aligned with those of other industry regulators as well as the best practice risk frameworks. This document should provide a helpful guide to small and mid-size firms looking to build their cybersecurity programs.

How ACA Can Help

ACA Aponix offers the following solutions that can help your firm protect itself from breaches, or related cybersecurity risk:

For More Information

If you have questions, please contact your regular ACA Aponix consultant or email us at info@acaaponix.com.