On 18 March, The FCA published the transcript to their recent podcast on cyber resilience and security for firms. With more and more financial services moving online, such as online banking, being cyber resilient is becoming increasingly important. With FCA sandbox initiatives for new technology and joint initiatives between the FCA and the ICO it is clear that this is something that all regulated firms should be thinking about. As such, this recent podcast with the FCA’s security expert seeks to remind regulated firms of what they can do to protect themselves from cyberattacks both now and in the future.
The podcast begins by discussing the expectations of customers to receive what they want quickly via a reliable service. In response, the podcast notes firms must manage expectations carefully through their communications and consider how customers will experience their services when they do not work well. Given the fast pace of change in financial technology, the podcast further notes the need for the regulator to keep up with technology and not only consider the opportunities it brings but also its risks and threats.
Turning to consider why it is important that firms think about cyber resilience, the podcast notes that whilst technology can bring fantastic innovation, there is a risk that in creating new innovative products, firms are not building into their plans the potential for future harm or thinking about how they can recover when an issue occurs. With this in mind, the FCA reminds organisations that when they are thinking about a new technology, or even existing technologies, they should ‘build in the sense of how we can be resilient upfront rather than thinking about it as an afterthought.’ To do this, firms will need to consider their vulnerabilities. As such, the podcast notes that whilst we often think of technology as making things simpler, the complexity that often sits behind such technology sometimes means that more things can go wrong, meaning individuals may be more vulnerable to attacks. This is often why cyber criminals will look to exploit complexity in such technology by finding gaps in it. To combat vulnerabilities and build in resilience upfront, the podcast states new technology should aim to be ‘secure by design’. It is particularly important this is done, given that implications of cyber attacks on customers can be long lasting and can undermine trust in the industry and individual organisations. To tackle the implications arising from any attacks, the FCA further notes that it is important to keep customers updated and informed. Firms should think now about how they would respond should an issue occur.
Moving on to consider the action firms can take to ensure cyber resilience, the first question, the FCA thinks firms should ask themselves is ‘do they know their business’. Once that has been answered, it should be easier to understand where the business needs to be resilient and what its most important business aspects are. The FCA is further trying to shift the conversation from prevention to trying to provide contingencies for when something does go wrong. Given that things tend to go wrong particularly where change occurs, it is also important to consider how change can be managed to ensure effectiveness. The podcast, also notes that part of a firm’s cyber resilience should be in ensuring ‘cyber hygiene’. This term is used to explore whether a firm has the ‘basics right’ – and in ensuring cyber hygiene firms may want to consider whether they know who has access to their technology and systems, and whether software and systems are up to date to mitigate risks. Further, good governance and leadership are stated to be absolutely essential to identify, tackle and respond to cyber threats. The podcast stresses that a top down approach where the importance of the matter is instilled into those further down the chain of command is key. It is about creating a strong culture that will prevent issues like phishing, and reminding people that suspicious emails need to be reported. Whilst there is no perfect security culture, the FCA note that actions such as staff testing and education can be beneficial.
As for action smaller firms can take, this is stated to be largely about tackling the basics and can often require a focus on emails as this is often a large area of vulnerability for smaller firms. It is noted that the National Cyber Security Centre’s advice is particularly helpful for smaller firms. The podcast also, underlines that all individuals have a responsibility to understand where threats can come from and that all individuals should aim to understand how they can protect their own data and systems.
With the FCA, PRA and Bank of England having published consultation papers on new requirements to strengthen operational resilience, the podcast notes that the FCA is trying to get a message out to firms that they accept failure can occur but would rather that organisations understood where that is most likely to happen and prepare for it. In light of this, the consultation paper sets out key concepts looking at whether organisations understand their business, what the important services are they offer, and what their regulators care about so they understand what the regulators will be looking at if something goes wrong. From there, it is noted that the regulators are asking how resilient an organisation’s important services are and is prompting testing to find gaps to create improvement. This is noted to require an investment of time that likely needs to be prioritised at senior management and board level. Resilience should likely be a core part of a business model.
Finally, the podcast ends with a discussion of future threats to cyber resilience within the financial services industry. This highlights that whilst the FCA thinks threats will always relate to people as they are a vulnerability that can be exploited, they expect more issues will perhaps arise relating to mobile phone use where people do not spend as much time ensuring security. Looking further ahead, concerns are noted with the advent of quantum computing which will speed up computing power and break a lot of security incredibly quickly. The way to tackle this will be to have a security quantum computing solution which individuals are looking to develop but it is not clear how long this could take.
Based on the above, it is clear that cyber resilience is an ever-evolving subject in which firms will need to invest time and effort to be better placed to respond to cyber threats. As such, firms would be well recommended to consider FCA advice on the matter and take the time to consider the key questions posed.
 FCA Consultation Paper CP19/32, “Building operational resilience: impact tolerances for important business services and feedback to DP18/04”, December 2019 and PRA Consultation Paper CP29/19, “Building operational resilience: Impact tolerances for important business services”, December 2019.