Points you should consider regarding your firm's operational and cyber resilience following Russia’s invasion of Ukraine.
Although the National Cyber Security Centre (NCSC) is not aware of any current specific cyber threats to the UK following events in Ukraine, the NCSC has called for increased cyber security vigilance[1] among firms in response to Russia’s invasion of Ukraine.
We recommend firms follow their actionable guidance[2] as a priority, to reduce your risk of cyber compromise.
Although the National Cyber Security Centre (NCSC) is not aware of any current specific cyber threats to the UK following events in Ukraine, the NCSC has called for increased cyber security vigilance[1] among firms in response to Russia’s invasion of Ukraine.
We recommend firms follow their actionable guidance[2] as a priority, to reduce your risk of cyber compromise.
Cyber security
Given the continued heightened cyber threat, the NCSC has published new guidance[3] on maintaining a sustained strengthened cyber security posture. This guidance considers the pressure a protracted threat can have on firms’ systems, processes and workforce. It suggests steps for firms to take to maintain a strengthened cyber posture over the longer term in a sustainable, efficient way, while prioritising staff wellbeing.
Alongside the guidance listed above, the NCSC has issued guidance for various sizes of firms:
We also encourage firms to review the NCSC’s Cyber Essentials scheme[7] and further publications linked below.
You should consider your ability, and that of your third-party providers, to withstand a cyber attack. You should take all appropriate steps to shore up your controls, including raising staff awareness: that may, for example, include re-running staff ethical phishing campaigns. Consider if your staffing levels are appropriate to deal with an elevated cyber risk.
The Centre for the Protection of National Infrastructure (CPNI) encourages all firms to review any of their existing risk assessments that address insider threat[8]. This will help you to understand and respond to any heightened insider risks your firm may face.
The CPNI has also issued broader advice[9] relating to the Russian invasion of Ukraine. This will help you to consider your security arrangements and improve them where needed.
Russian technology products and services
The NCSC has published a blog[10] discussing the risks from using Russian technology products and services, which we encourage all firms to read.
In particular, they’re asking for firms they deem higher risk to consider:
- their reliance on all types of Russian technology products or services (including, but not limited to, cloud-enabled products such as anti-virus software)
- how they could insulate themselves from compromise or misuse of services provided out of Russia that they use
Regardless of whether your firm is a likely target, global sanctions could mean Russian technology services (and support for those products) may have to be stopped at a moment’s notice. You should consider how such an event would affect your firm’s resilience and consider plans to mitigate that.
Important business services
You should consider the implications of the continuing unrest and UK/US/EU sanctions and how that might impact upon your firm and your third-party providers, and whether this could affect your ability to deliver your important business services.
Business continuity and incident management
You should ensure your business continuity and incident management arrangements are up to date, ensuring that you can continue to function and meet your regulatory obligations in the event of unforeseen disruption.
Reporting incidents
You should be ready to report material operational incidents to the FCA in a timely way.
During this period, it could be extremely valuable to the FCA and other UK authorities to be notified quickly of developing cyber incidents or outages, so that we can provide specialist expertise and work to minimise harm to consumers, markets and the wider UK financial sector.
See how to report an operational disruption[11].
False information
You should be alert to the risk of false information being gathered or shared about the operations of a particular firm or the financial services sector, or about your staff. This could be, for example, information shared on social media.
If false information is circulated about your firm, you should have a prompt, clear response to try and prevent that information being acted upon.
