The Financial Conduct Authority (FCA) aims to guide regulated firms on its expectations of their cyber resiliency. In 2018, the FCA warned regulated firms of the risks of outdated IT systems and the lack of effective cyber controls as a key area of vulnerability in an environment where it said that the threat level for cyber-attacks is “remarkable.”
The FCA has previously cautioned firms that they have failed to “get the basics right on cyber” highlighting that a third of firms do not perform regular cyber assessments. It said that nearly half of UK regulated firms do not upgrade or retire old IT systems in time, and that only 56% say they can measure the effectiveness of their information asset controls. While larger firms may have automated detection systems to spot potential cyber-attacks, smaller firms are reliant on manual processes – or no processes at all.
The FCA also recognizes that firms of all sizes, and in a range of sectors, are at risk of cyber-attacks due to human factors. The FCA has previously reported that many firms operate a cyber awareness program, but it has stressed the need for firms to also focus on high-risk staff, especially those who deal with critical and sensitive data. It has also highlighted the need for firms to develop a positive security culture from the Board down to individual employees. In the FCA’s view, firms should be able to identify and prioritize their information assets – hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.
Obligations for FCA regulated firms are significant, as they are under a duty to report material cyber incidents which (1) result in a significant loss of data or the availability or control of IT systems; (2) affect a large number of customers; or (3) result in unauthorized access to, or malicious software present on, information and communication systems. For regulated firms these reporting obligations do not negate the requirement to also report certain data breaches to the ICO (the UK privacy regulator) under GDPR, leading to a burdensome set of regulatory reporting requirements for firms which experience cyber incidents.
The FCA and the Prudential Regulation Authority have announced that they have worked in partnership to help regulated firms to understand their cyber resilience capability at a high level, by creating a cyber resiliency self-assessment questionnaire. "CQUEST" consists of multiple-choice questions covering aspects of cyber resilience, such as: Does the firm have a board-approved cyber security strategy? How does that strategy identify and protect its critical assets? How does it detect and respond to an incident, recover the business and learn from the experience?
The FCA considers that the answers to the questionnaire will provide a valuable snapshot of a firm’s cyber resilience capability as well as highlight areas for further development.
