It has been reported that, in 2021, the FCA experienced a 52% increase in reports of “material” cyber security incidents and we expect this upward trend to continue into 2022. The rise in ransomware in particular was highlighted in the very recent paper published by UK Finance, which called on UK authorities to focus on disrupting ransomware criminals and criminal networks[1].
New FCA and PRA requirements in relation to operational resilience came into force on 31 March 2022 and the regulators’ focus on operational resilience (including cyber resilience) formed a key element of the FCA’s 2022/23 Business Plan published on 7 April 2022[2] and was subsequently highlighted in a speech made by the PRA on 25 May 2022[3].
We advise a broad range of regulated clients on communicating with regulators and law enforcement in the event of a cyber threat or attack and more generally on related matters such as governance, senior manager responsibility and remediation. In an episode of our Beyond Sanctions podcast series last month, we discussed the FCA’s announcement concerning cyber security in light of the events in Ukraine and some of the work we have been doing for clients to help them through this period of uncertainty.
Drawing on this experience and lessons learned from other high profile enforcement cases in recent years, we have set out below some key points that firms and senior managers should have at the forefront of their minds from a regulatory perspective when responding to a cyber incident:
Regulators’ expectations
- Respond swiftly: firms will be expected to demonstrate they have responded to any cyber threat or attack with sufficient rigour and urgency. Firms will need to ensure that they have assessed tolerances, performed considerable stress-testing and consider appropriate contingency planning to manage and, ultimately mitigate risk.
- Consider regulatory notifications: when making notifications, firms must take into account their regulatory reporting obligations around cyber incidents[4]. In particular firms are likely to be expected to report material cyber events where an attack (i) results in a significant loss of data, (ii) results in the unavailability or control of their IT systems, (iii) affects a large number of customers, and/or (iv) results in unauthorised access to their information systems[5].
- The importance of prompt notification of developing cyber incidents or outages was recently highlighted by the FCA as being “extremely valuable” following Russia’s invasion of Ukraine to help the regulator to provide specialist expertise and work to minimise harm to others[6]. Firms should also continue the dialogue, as part of monitoring the ongoing impact of any live incident and update the regulators as appropriate.
- Rectification and redress: firms may be given credit for taking proactive steps following a cyber-incident, for example by commissioning a third party to undertake a review and root-cause analysis of the attack, identify any potential weaknesses in systems and controls and recommend remedial actions.
- Coordination across jurisdictions: given the global nature of firms and/or services provided there is a strong chance that more than one regulator may become involved, either on a domestic or international level or both. Firms may need to coordinate responses to multiple regulators and consider accordingly how each area and jurisdiction of the business has been impacted, recognising that information may be shared between regulators.
- Prioritise governance: firms must ensure they have an appropriate internal governance process for dealing with the aftermath of a cyber threat or attack, including processes to validate the integrity of information affected by the disruption, implement the business continuity plan, communicate internally with relevant stakeholders and escalate and report to senior management and the board as appropriate. Relevant senior managers should ensure they are kept informed and play an appropriate role in decision-making including on a cross-border basis where required. Often the response to an incident may be led by a particular group member in another jurisdiction but those managing the business of the UK regulated firm need to ensure that adequate consideration is given to relevant regulatory considerations as part of that response.
- Recovery: any continuity plan should also be subject to rigorous and regular review and testing, and firms should adopt a risk-based approach to getting systems and processes up and running.
- Record-keeping: firms should keep records of decisions and steps taken both during and in the aftermath of a cyber incident, ensuring all of the points set out above are documented appropriately including any communication (whether oral or in writing) with the regulators and/or other law enforcement authorities.
Minimising exposure to cyber threats and attacks
The FCA and PRA expect firms to have the right risk frameworks, oversight and escalation mechanisms, and monitoring arrangements in place to ensure robust cyber resilience. This includes having a proper understanding of where the business could be more or less exposed, and putting in place robust horizon scanning processes so firms can continuously check for emerging risks and factor these into their governance, risk and compliance processes. It also means prioritising resources accordingly and, crucially, this should include human resources: the regulators will expect firms to ensure the requisite skills and experience are reflected at senior management and board level, as well as having well trained staff with a strong sensibility of their own regulatory responsibilities on an operational level.
[1] UK Finance Member Position on Ransomware.pdf
[3] What will operational resilience look like going forward? An overview of the supervisory regulatory position − speech by Duncan Mackinnon | Bank of England
[4] Including Principles 3 and 11 of the FCA’s Principles for Businesses, SYSC 3.1.1 and 3.2.6, SUP 15.3.1 of the FCA Handbook and PRA Fundamental Rules 2, 5, 6 and 7.
[5] Operational Resilience | FCA
[6] Russian invasion of Ukraine: operational and cyber resilience | FCA