Our approach to cyber security in financial services firms

Speaker: Nausicaa Delfas, Director of Specialist Supervision
Location: Marriott Grosvenor Square, London
Delivered on: 21 September 2016

Key points:

• Cyber risk is an ever evolving and asymmetric threat. It impacts each one of our objectives – market integrity, consumer protection and competition – whether through markets being disrupted through loss of availability of platforms, sensitive market or customer data being stolen or compromised, or access to core banking services.
• We regulate 56,000 financial services firms, from the largest banks, insurers, market infrastructure providers to the smallest advisers. Firms, whatever their size, could pose a significant risk to our objectives if their services were disrupted – even the smallest firm could hold large quantities of sensitive data, which if compromised could have a ripple effect to other areas of the financial sector, and business generally.
• Cyber security is a shared interest and responsibility – we will continue to take a co-operative approach to addressing this threat, continuing to work with Government, other regulators, nationally and internationally on this important issue. 
• What we will be looking for is a ‘security culture’ in firms of all sizes – from the Board down to every employee. Cyber is not just an IT issue, but covers people, processes and technology. The key is: good governance, identification and protection of key assets, detection, response and recovery and information sharing, with the regulator and other parties. 

Note: this is the text of the speech as delivered.

Thank you to the FT for organising today’s important summit. It is a pleasure to join you this morning.

We have heard from firms and other stakeholders their perspectives on cyber risks – today I provide more detail on how the FCA is meeting this challenge, as well as clarifying our expectations of firms.

The FCA regulates 56,000 financial services firms, from the largest banks, insurers and market infrastructure providers to the smallest advisers. Our objectives are to secure appropriate protection for consumers, protect and enhance the integrity of the UK financial system and promote effective competition in the interests of consumers.

Cyber risks challenge each of these objectives: whether through markets being disrupted through loss of availability of platforms, sensitive market or customer data being stolen or compromised, or access to core banking services.

Across this population, our objective is to help firms to become more resilient to cyber-attacks, to enhance market integrity and to protect consumers.

Cyber resilience is a matter of priority for us, and we have created a specialist team within my Division to lead on this work, within the broader spectrum of operational resilience.

Our view of the cyber landscape is that risks and threats are ever evolving and ever increasing – we need to remain vigilant and agile to combat them. It is an asymmetric threat – easier to perpetrate than to defend against. You will all be aware of the well reported attacks on Talk Talk, Cabarnak, Bank of Bangladesh, and associated SWIFT reports.

We know also from firms’ reports to us that attacks are on the increase year on year – in 2014, we received 5 reports, in 2015 27, and 75 so far in 2016. Whilst this significant increase indicates more attacks are occurring, this may also suggest better detection and greater reporting to us on the part of firms, which we very much encourage.

This increase in incidents, considered alongside the regular reports from security specialists, suggests our challenge is only getting greater. For example, Symantec’s latest annual Internet Security Threat Report certainly makes for a sober read – reporting a 125% increase in zero-day vulnerabilities globally, a figure that effectively more than doubles the scale of the task in hand.

Moreover, the same analysis suggests some half a billion records have been lost globally as a result of data breaches, with 430 million new malware variants discovered in 2015. PwC, meanwhile, report a 45% increase in the volume of cyber-attacks by organised criminal gangs.

What is our approach?

It’s important to reflect what I am sure we all know – neither regulators, nor firms, can hope to prevent all attacks succeeding – it is a matter of when, not if. But responsibility for defending against this risk is a shared one.

Cyber security is a shared interest and responsibility. Our intention is to deepen that spirit of co-operation.

So our approach so far has been to work closely with the industry – I would like to start by thanking industry directly for its positive engagement with the FCA over the last year. We have always worked on the basis that cyber security is a shared interest and responsibility. Our intention is to deepen that spirit of co-operation – we are committed to working very closely with you, as well as with the Bank, the Government, international colleagues and others to push hard for further improvement.

Our focus so far has been two fold:

1. Engaging nationally and internationally to ensure a co-ordinated approach to addressing this threat.

For example, the FCA has been involved in writing the CPMI and IOSCO guidance on cyber resilience for financial market infrastructures. Most of its contents are directly relevant to firms here.

We have also been working as part of the G7 cyber expert group, which is due to report later this year.

We have also been co-ordinating with GCHQ, Government and Bank of England (BOE) and Prudential Regulation Authority (PRA) in our approach across the sector, and look forward to continuing to do this with the National Cyber Security Centre, which you will have seen that it is due to be launched this October.

We have undertaken resilience exercises, both with the industry and with other regulators. A notable recent example was exercise Resilient Shield in January last year – it was a joint endeavour between the US and the UK, focussing on our collective response to a transatlantic cyber event, as well as information sharing, incident response handling and public communications.

On a personal level, as a direct participant, I was impressed by the co-operation involved – there’s no doubt it’s helped both countries enhance their cyber programmes. Looking forward, our intention is to continue in much the same vein – to encourage and participate in more multi agency exercises – they are habit forming and help us all to sharpen and refine our response to real world attacks.

2. In terms of supervisory attention, we have focused on the largest providers, the critical national infrastructure, conducting probing testing – CBEST testing – in co-ordinated work with BOE and others – under the auspices of the Financial Policy Committee.

We are now turning our sights more specifically to the broader population of firms we regulate. We are assessing which firms we believe pose the greatest risk to our objectives if their services were disrupted, either through lack of availability or integrity of data or processes. And this does not really depend on the size of a firm – the reality is that even the smallest firm holds large quantities of sensitive data – which if compromised could then have a ripple effect to other areas of the financial sector, and indeed businesses more broadly.

We will deploy a proportionate approach, ranging from communications and self-help to all firms – building on the very helpful existing materials from Government – eg 10 Steps to Cyber Security and Cyber Essentials – to more intensive supervisory approach with individual firms.

We expect a security culture, driven from the top down – from the Board, to senior management, down to every employee.

So what will we be looking for?

Regulatory requirements in this area stem from rules and principles around effective management of risk and controls – SYSC – and these apply over a range of issues from information security, to business continuity, to outsourcing.

As you might expect we see firms taking a number of different strategies to compliance – there is no one right answer, but we do have some expectations in this area that I want to share.

I can summarise these by saying we expect ‘a security culture’, driven from the top down – from the Board, to senior management, down to every employee. This is not as vague as it sounds – I will elaborate further.

We are looking for firms to have good governance around cyber security in their firms – by this I mean senior management engagement, responsibility – and effective challenge at the Board. We are aware firms have found it difficult to identify the right people for these roles – but much progress has been made, and I am encouraged by the engagement we have seen on this issue by senior management.

We will be looking to see that firms have identified their key assets – and that the protections around them are appropriate – you might secure valuables in a safe, and others under lock and key – the same applies here. Protections also extend to your usual personnel security – how well trained are your staff to recognise phishing emails? How good is the security screening of your staff? How often do you test your defences?

Firms need to have adequate detection capabilities – how well do you know whether you have been attacked? Recent cases show that attacks have happened and are lurking in systems for a long time before they are detected – eg Cabarnak. How good is your threat intelligence? There is no shortage of innovation in cyber protection – of those innovations, I would count positive developments in DDos Defence and new technologies such as website re-scripting as among the most important. But these really are just the tip of the iceberg. Others are developing artificial intelligence systems which can scour corporate networks for vulnerabilities and patch them automatically. This is all good – but it’s not a sliver bullet.

Very importantly – recovery and response – firms should have systems and controls to ensure they can carry on in the event of an unforeseen interruption, and to be able to recover from interruptions, preserving essential data. Our observation is that in some cases, current business continuity plans do not work where data are compromised. And timely communication is important – to consumers and markets.

We also expect you to report material breaches to us, under Principle 11 – and to share information with others, on the Cyber Information Sharing Partnership (otherwise known as the CISP platform). This is a government initiative which will now be residing within the NCSC, funded by the National Cyber Security budget, and a good example of the government and private industry working together. I cannot emphasise enough how important information sharing is to identifying and tackling patterns of attacks – and I urge you to continue this, to enhance the protection of the industry as a whole.

Key emerging risk areas

Whilst you can outsource a service ... you cannot outsource the associated responsibility for the risks.

There are also some key emerging risk areas that we will be looking at:

1. Ransomware

First, we expect the ransomware threat to firms and customers to significantly increase over the next few years – ransomware attacks increased by 35% in 2015[1], and we expect this increasing trend will continue.

These attacks often involve the use of a phishing email, which once clicked on installs the ransomware onto a system, encrypts key information within it (effectively locking users out of systems or preventing access to data), and the hackers demand a ransom to release it.

An attack on a medical centre in LA earlier this year is probably the highest profile public case to date. But I suspect many other incidents have simply gone unreported. A point that should emphatically put financial services on notice.

So we are very strongly encouraging the industry to monitor developments here.

Ransomware attackers are, to quote one security firm, already ‘crazy sophisticated[2]’. To the point of offering online ‘helpdesks’ to victims.

We need firms to be alive to the risks of self-propagating malware, and the associated threats it poses. We are no longer looking at isolated infections on end user devices: we have to consider what firms would do to recover systems if self-replicating ransomware, or other malicious software, were to intelligently spread throughout their networks.

Most important, if it happened tomorrow, how would you recover from such a loss where many firms adopt mirrored backup solutions that offer no help in this scenario? Could you afford to go back to a set of tapes that may be a week old? And what would have been lost in that time?

Key is user education and awareness – and identification and blocking of potentially harmful programs, and regularly tested backup and recovery processes are essential.

2. Data storage/outsourcing

And this links to the second big risk we see, which is around data storage. As more firms move to the cloud, they really do need to be aware that they adopt the cloud provider’s threat profile, as well as their own. Outsourcing key services to cloud vendors plainly brings large cost and efficiency benefits – we fully understand that – but firms must be on top of associated risks. A strong relationship with cloud providers (and other outsourcing partners) is critical to managing this change in the threat profile. Firms need to understand how their data is protected.

The FCA recently issued cloud guidance to firms and I encourage everyone to read this – it clearly lays out our view on this subject.

Whilst you can outsource a service, and realise the benefits that the cloud undeniably brings, you cannot outsource the associated responsibility for the risks. These are yours to manage, whether you’re a start-up or an established multi-national.

3. Skills

The third risk I want to mention is the skills gap in cyber. We know some firms are struggling to recruit skilled staff to analyse data, and respond to threats. Plainly there are issues here beyond the sector’s control. But it is important for industry to do what it can to bring talent into the cyber field.

To that end, we are extremely keen for firms to take advantage of any practical initiatives that contribute to that goal. A notable example being the Government’s FastTrack cyber apprenticeship scheme. If we want to live in a world where there is an ‘internet of things’, from fridges ordering food to Amazon Dash, the industry will, ultimately, need a workforce capable of managing the complex risks that arise. 

Conclusion

So to conclude, cyber is a threat that is ever evolving and ever increasing.

But I’d like to leave you with an observation:

Most attacks you have read about were caused by basic failings – you can trace the majority back to: poor perimeter defences, unpatched, or end-of-life systems, or just a plain lack of security awareness within an organisation. So we strongly encourage firms to evolve and instil within them a holistic ‘security culture’ – covering not just technology, but people and processes too.

You can expect to hear more from us on cyber resilience. We will be reaching out to a much wider range of firms than we have to date, and focussing on those in which a successful attack might pose the greatest risk to our objectives. We will be looking closely at the cyber practices of these firms.

Cyber remains a priority for the FCA – we remain keen to work with industry to drive up standards, and to help the UK remain a safe place to do business – and look forward to continuing to engage with you on this in the future.