Reference Case Number: FOI8736
Freedom of Information: Right to know request:
Please provide me with any information (including but not limited to emails, policies, instructions and guidance) you hold about any decision, instruction, policy, plan or accidental event where you have treated or caused to be treated any correspondence between Unite (or any other union) and any employee of the FCA, as a phishing attempt. This will include any automatic block/filters set up on the FCAs email system.
For the avoidance of doubt, I am not interested in the names or contact details of the Unite members or FCA staff involved in the correspondence.
FCA response:
Before we address the information that you have requested, we would like to explain that the vast majority of cyber-attacks begin with an email. The FCA, in common with most organisations, implements strong anti-phishing controls and restricts its email system to work use only.
Following a number of external emails sent to a large number of colleagues, we were concerned that malicious actors may use references to the current FCA internal consultation to persuade colleagues to open emails and click on links that may undermine our cyber security. As a result, to reduce the risk of spam and phishing, we took the decision to quarantine incoming emails that included certain terms and had specific characteristics. This resulted in our anti-phishing controls quarantining 23 emails from Unite (as of the date of this FOIA request). Following security checks, all were subsequently released to their intended recipients.
We hold the enclosed emails that, in part, set out the decisions taken in relation to the phishing controls that were applied to correspondence between Unite and employees within the FCA. Please see the annex below for copies of these emails. We would like to explain that we are exempted from disclosing some of the information contained within these emails under section 31 (Law enforcement) of FOIA as the public interest in maintaining the exemption outweighs the public interest in disclosure. We have also redacted elements of these emails that are not within scope of your FOIA request.
Section 31 is a qualified exemption, and therefore in considering where the balance of the public interest lies in making this information public, we have assessed that it would be likely to prejudice the exercise by the FCA of its functions for certain purposes (set out below).
We have considered the arguments for and against disclosure.
Section 31 (Law enforcement)
The qualified exemption in section 31(1)(a) of the Act applies because disclosure of the information requested would, or would be likely to, prejudice the prevention or detection of crime.
As explained in our letter, this exemption applies to a small amount of the information requested in that such information, if disclosed would, or would be likely to, prejudice the prevention or detection of crime as disclosure would enable criminals to draw conclusions about our cyber security capability and in turn, may encourage them to launch cyber-attacks on our systems.
This exemption is qualified and we have balanced the public interest for and against disclosure as required by the Act.
For disclosure:
- The FCA can demonstrate transparency in the public interest through being, open and accountable following the publication of our current internal consultation on our reward offer
Against disclosure
- In addition to the arguments set out above, there is a strong public interest in the FCA being able to keep their systems safe and secure from cyber-attacks to ensure our role as financial regulator is not compromised.
On this occasion, we have concluded that the balance of the public interest is in favour of maintaining the exemption under section 31 of the Act, for the reasons set out above.