United Kingdom (and EU regulation)

UK Finance Paper on Cyber Incident Management

By Katie Stephen (UK), Ffion Flockhart, Sonya Zywko (UK) and Catherine Pluck (UK) on July 9, 2020 Posted in Investigations and enforcement, United Kingdom

On 1 July 2020, UK Finance, which represents over 250 firms across the banking and finance industry, published a paper on managing cyber incidents, designed to assist firms in thinking about their response plans. The paper emphasises the importance of firms being able to action an effective response to a cyber-attack and key takeaways include:

Plan: Firms should plan for ‘severe but plausible disruption scenarios’, as stated by the Bank of England, PRA and FCA.
Prioritise: Firms should identify their core assets and operations, taking into account what is needed to protect customers, and the risks around them to help put effective controls in place and to inform what to prioritise immediately following an incident.
Regulatory obligations: Firms must take into account their regulatory obligations around cyber incidents – including Principles 3 and 11 of the FCA’s Principles for Businesses, SYSC 3.1.1 and 3.2.6, SUP 15.3.1 and PRA Fundamental Rules 2, 5, 6 and 7.
The Team: A risk-based approach should be taken when deciding the composition of the incident response team, but there should be expert representatives from each relevant business unit and area. Threat intelligence and the incident response team should work side-by-side to ensure those managing incidents are fully informed.
Geography: Where firms operate in a number of locations, consideration should be given as to how those relationships will work in practice in the event of an incident.
Communications: Proper consideration should be given as to how firms’ communications will operate in the event of an incident to ensure the correct individuals are involved at the outset and potential harm is mitigated.
Training: Staff must be properly trained and, in certain areas, tested and any lessons learned from incidents must be factored into the response plan.
Cost: The possible costs of an incident should be considered, as well as whether cyber insurance is required.

Comments on the paper are to be directed to the Digital, Technology and Cyber team at UK Finance.