On 24 April 2017, Nausicaa Delfas, Executive Director of the FCA, delivered a speech on the threat of cyber-attacks in the financial sector and outlined the steps that businesses can take to mitigate them.
The threat landscape
Ms Delfas highlighted some of the current cyber-security trends in the financial sector, in particular the re-emergence of ransomware, the formation of botnets through SMART products (such as TVs and fridges) and the possibility of attacks exceeding 1.5Tb per second. Over the course of 2016, the FCA received cyber-attack reports from 89 regulated firms and the vast majority of these vulnerabilities were well-known and had fixes available at the time of the attack. The government also recently published a report on cyber security breaches which revealed that 46% of all UK businesses had at least one cyber security breach in 2016.
What steps can businesses take?
The consequences of these attacks can be far-reaching notwithstanding the fact that they compromise the integrity of the market and cause loss to consumers. Consequently, Ms Delfas encouraged businesses to take the following steps in order to prevent, detect, recover and respond to cyber security threats:
- Get the basics right – businesses should utilise government schemes such as Cyber Essentials and 10 Steps to Cyber Security which aim to facilitate the effective management of risk. UK financial authorities consider these schemes as the basics of ‘good cyber-hygiene’. It is envisaged that the 10 steps will eliminate around 80% of the cyber security threats businesses are struggling to manage. Some of these steps include embedding a risk management regime and having secure configuration and network security, among other things.
- Move to a "secure culture" – the government report revealed that the most common breaches involved employees receiving fraudulent emails. Businesses should therefore assist staff in behaving in a secure manner – by articulating the requirements of, rationale for and impact of non-conformance with security processes. Businesses can do this by conducting information security training and simulated phishing exercises which measure the percentage of staff that would fall for a phishing scam, among other things.
- Share information – the FCA is collecting, anonymising and aggregating actual risk data across 175 firms in each area of the financial sector. Ms Delfas believes that sharing such actionable information with the FCA will help to improve the collective resilience of the financial sector.
- Building the capability – the government is establishing 13 Academic Centres of Excellence that specialise in developing cyber security research and innovation, attracting students and investment in the UK in order to address the current cyber skills shortage. Ms Delfas urged businesses to find innovative ways to develop additional talent since it is no longer sustainable to solely rely on experienced hires.
What next?
There is no doubt that adopting the measures highlighted in Ms Delfas' speech will help businesses manage cyber security threats. However, there is no ‘one-size fits all’ approach since businesses present different levels of risks to their customers and will have varying budget sizes allocated to cyber security. Businesses should therefore ensure that they tailor the measures to their respective business types in order to ensure that the threat is managed effectively. It is critical that business get their cyber security strategy right – the trust, reputational and regulatory consequences of not doing so are growing ever more significant as the WannaCry attack has highlighted.