On 27 November 2018, the FCA published a report on its 2017-2018 cross-sector survey on cyber and technology resilience. The FCA surveyed 296 firms during 2017 to 2018 to assess their technology and cyber capabilities. The survey looked at key areas such as governance, delivery of change management, managing third party risks and effective cyber defences.
The key takeaways from the report are as follows:
- the number of incidents of technology outages reported to the FCA has increased by 138% in the past year;
- firms identified governance as the area where they have the strongest capability. In both the technology and cyber surveys 90% of firms assessed themselves as having strong governance controls. Firms subject to the Senior Managers’ Regime often reported a clearer structuring of roles and responsibilities and ownership of a cyber security strategy;
- most firms rank cyber resilience as their top concern, nearly 80% of respondents struggle to maintain a view of what information they hold and of their third parties;
- many firms reported that they have mature IT change management functions, but failed IT changes caused 20% of the operational incidents reported to the FCA, between October 2017 and September 2018; and
- firms described challenges in managing their third parties. Third party issues, such as an IT failure at an important supplier, accounted for 15% of the operational incidents reported to the FCA (the second highest root cause).
The FCA suggests that firms are under reporting major technology outages and cyber-attacks and reminds them of their obligation under Principle 11 of the Principles for Businesses. The report will be considered in the FCA’s supervisory plans for 2019.