The FCA has published a speech by Nausicaa Delfas, FCA Executive Director, on the steps firms can take to manage cyber-security threats.

Key points in the speech include:

  • the FCA’s work in the financial sector has shown that firms continue to struggle to get the basics right. Schemes such as Cyber Essentials or the 10 steps to cyber security articulate what is considered by the UK Government, and the UK financial authorities, as the basics of what is termed as ‘good cyber hygiene’. If properly implemented it is estimated that the 10 steps to cyber security would eliminate around 80% of the cyber threat firms are struggling to manage;
  • the FCA also wants firms to consider specific cyber risks. Financial institutions are urged to carry out robust and comprehensive risk assessments focussed on the impact of a distributed denial of service attack on their systems;
  • mitigation solutions are available and the FCA supports their use. The FCA does ask that firms consider concentration risk when subscribing to a given service, to avoid contamination in the event of widespread sector attacks;
  • some concentration may be inevitable (with iCloud for example) but due diligence of third party suppliers should include a review of their cyber resilience. Firms should also ensure that they have controls in place to swiftly recognise when an attack has happened in a third party supplier and have plans in place to correct or reduce undesirable outcomes;
  • non-executive directors should be able to satisfy themselves that an organisation is managing cyber risk effectively. The Institute of Directors specifically calls for non-executive directors to satisfy themselves “that systems of risk management are robust and defensible”; and
  • institutional investors are now questioning boards as to how they effectively manage cyber risk. The FCA encourages investors to ask questions about cyber defences, to use the firm’s cyber maturity as a key indicator of resilience, and to push firms to improve in this space.

View FCA speech on managing cyber-security threats, 24 April 2017