Insights from the 2020 Cyber Coordination Groups

Research notes Published: 29/04/2021 Last updated: 29/04/2021

We give a broad overview and insight into the discussions held at our quarterly Cyber Coordination Group meetings, with the aim of sharing the valuable insights found in these groups to the wider financial sector.

Introduction

Cyber threats and their associated harms represent a complex and evolving challenge for the financial sector. Since 2017, the FCA has brought financial services firms together to collaborate in groups on cyber security and operational resilience.

These Cyber Coordination Groups (CCGs) have aimed to help firms share knowledge and discuss good practices in protecting themselves from cyber threats.

In 2020, we convened 157 firms in 7 CCGs, with each CCG representing a specific sub-sector. The 2020 CCG sub-sectors were: Insurance, Investment Management, Fund Management, Retail Banking and Payments Firms, Retail Investments and Lending, Brokers/Principal Trading Firms and Trading Venues/Benchmark Administration Firms.

The CCGs met quarterly, allowing firms to learn from and support their peers, as well as address sector-wide issues in a collaborative setting. The CCGs were joined by representatives from HM Treasury (The Treasury), the FCA, the Bank of England (BoE), the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA), to promote increased engagement between the financial sector and these authorities.

The FCA also supports the Trade Association Cyber Information Group (TACIG) which brings together leading Financial Sector Trade Association bodies, to maximise information sharing to the financial sector. The TACIG shares key information and insights with member associations and the firms that are part of them.

This is our third annual CCG insights publication. It draws on the knowledge shared from the past year’s CCG discussions, with the aim of sharing information and good practices to the wider financial sector. The insights cover broad cyber risks that span sector priorities, in addition to the key themes that were discussed in depth by some or all the CCG groups.

The key insights discussed in this publication are:

  1. Some of the major cyber threats and risks that CCG member firms have been faced with include: ransomware attacks, denial of service attacks, cloud security, insider threats and inadequate supply chain oversight and security.
  2. CCG firms have identified Zero Trust Security models and Artificial Intelligence as some of the emerging fields within cyber-security.
  3. The change to remote working has put additional strain on cyber-security teams and systems, requiring the need to re-evaluate existing cyber risks and controls. The changed ways of working have also exacerbated the challenges caused by ransomware, supply chain security and insider threats.
  4. There are several common good practices that can be used to mitigate supply chain risks. CCG members identified fourth-party supply chain and Cloud Service Provider (CSP) risks as unique challenges in this space and shared potential mitigation strategies. CCG members also identified shared assurance models as potentially promising improvements to the way firms assess supply chain risk.

This is not FCA guidance on rules under section 139A of the Financial Services and Markets Act 2000. It does not set out the FCA’s expectations for systems and controls that firms should have in place to comply with our regulatory requirements.

All discussions have been shared by one or more firms within the CCGs, and much of the discussion supports existing guidance from the NCSC.

 

Section 2: Covid-19 and remote working

Covid-19 has increased the challenges of cyber-security teams greatly, through a variety of different issues.

New ways of working

The global pandemic has required financial sector firms to quickly transition to a remote workforce with an increased focus on serving customers through digital channels. This rapid change required information security teams to perform multiple roles of supporting business continuity and protecting the firm and its customers while adapting their own operations to a ‘new normal’.

CCG members highlighted that this has put an even greater strain on their cyber security teams.

At the beginning of the pandemic response, many companies were forced to accept new risks, including reduced control standards to keep operations going. As employees and firms became accustomed to the changes, these residual risks were re-evaluated often resulting in tightened controls.

The surge in remote working due to Covid-19 has expanded the security perimeters of firms, with attackers seeking to exploit the vulnerabilities in employees’ home networks. CCG members expressed concern over the security of employees’ home devices including routers and IoT devices.

Some CCG members also noted the challenges in achieving the same level of monitoring capabilities they had on premises with most having to upgrade capabilities to achieve some level of effective monitoring. With additional layers such as virtual private networks (VPNs), multiple networks and various cloud applications and platforms such as Office 365 being used, effective monitoring became an even greater challenge.

CCG members discussed the increased monitoring of employees performing high-risk functions from home in order to reduce risks of harm.

These additional challenges have highlighted that traditional systems and controls are often put under strain when transitioned to remote working. CCG members noted the need re-evaluate their cyber threats given the changes to ways of working caused by the pandemic.

Ransomware and malicious actors

Malicious actors ranging from opportunistic attackers to nation-state actors have looked to exploit the pandemic for their benefit. Indicators of threat activity began to emerge almost at the same time as the growing societal awareness of the scope of the pandemic.

This highlights the speed at which attackers can move to take advantage of major news developments.

CCG members observed that the most evident example of this increase in opportunistic attacks was an increase in phishing and vishing attempts, many of which used pandemic-related lures to gain access to personal, financial and business data.

With the financial sector worldwide seeing an increase in ransomware attacks, many CCGs noted the importance of ensuring timely patching of systems, applications and control updates. Firms also discussed the need to counter the increased threat with greater monitoring capabilities and staff information security and cyber awareness training, including phishing control tests.

CCG members noted that the increased threat level from ransomware had led to board awareness of the problem and its potential brand impact. This has helped cyber risk become a higher priority across firms.

Insider threat

CCG members also recognised that in response to enabling homeworking, insider threats have become harder to monitor. This is true of both malicious and accidental insider threats. Procedures, policies and other (digital and physical) control measures may not fully cater for this change.

CCG members acknowledged that malicious or accidental breaches can happen when staff may be more vulnerable because of anxieties increasing due to Covid-19 while juggling home-schooling, home working or other stresses. This can be exacerbated by longer working hours resulting in fatigue and potentially poor decision making.

Finally, CCG members noted that we may never see a permanent solution to mitigating insider threat, due to its unpredictable nature. For the most part, firms mentioned monitoring of users and system activities as the main way to mitigate against insider threat, alongside an increase in awareness training and monitoring of staff wellbeing.

 

Section 3: Supply chain security

CCG members regularly identify that the risks associated with their supply chains and third-parties are a major cyber and operational resilience priority. In 2020, supply chain security was one of our focus topics for the CCG meetings.

CCG members identified several key issues associated with third-party risk management and discussed potential ways to mitigate against these risks. Throughout, members recognised that third-party risk management is a complex issue which encompasses third-parties of varying sizes, introducing complicated levels of risk that are hard to manage. This risk increases particularly as firms scale up and use additional third-party providers. CCG members agreed that a ‘one size fits all’ approach is not appropriate, and that these challenges require an adaptive approach.

General good practice

CCG members discussed a variety of good practices to handling third-party risk management and assurance. Common opinions across the CCG meetings included:

  • Members agreed that some of the better strategies to carry out third-party risk due diligence include independent audits of third-party systems, assurance that a third-party has strong security certifications and concise security questionnaires.
  • CCG members considered security questionnaires a somewhat flawed approach, but currently serve a purpose in providing a reasonable standard of risk oversight while being simple to implement. Security questionnaires are prone to over optimistic responses from third-party suppliers, which needs to be accounted for in the evaluation of risk. Members also agreed that, when questionnaires are used, a short question set that probes meaningful areas of risk is much more beneficial than long and complex questionnaires.
  • Members acknowledged that responses to document requests or questionnaires do not always answer all risk management questions, and that instead fostering a good relationship between a third-party supplier’s security team and a firm’s risk management team is an excellent way to gain more bespoke, targeted risk assurance. This approach is not always possible, however, especially with large suppliers.
  • Members agreed on the need to follow a standard approach if a third-party supplier is compromised, based on the degree and extent of impact. To best implement this, a robust risk management framework should be in place, coupled with a strong accountability chain within a firm. To help ensure an accountability chain is robust, education of third-party cyber risks across senior management teams is essential. Members highlighted that if business decisions are being made based on third-party risk due diligence, then a good understanding of third-party cyber risk must be in place at a senior level.
  • In a similar vein, some members noted that often third-party risk management teams can be either too business-focused or too technology-focused, and that a balance needs to be struck to account for both areas.
  • Members agreed that when a third-party service changes, fresh due diligence is required to re-evaluate the risks.
  • CCG members also discussed how best to vary risk management approaches depending on the size and nature of the third-party supplier, agreeing that there are positives and negatives to dealing with both large and smaller providers. The consensus in the groups was that large suppliers cannot be deprioritised in relation to risk, and thorough due diligence is required for all suppliers regardless of reputation and size. They also noted that legacy and incumbent third-party suppliers tend to be less flexible and harder to manage, so greater attention is often required.
  • Despite all good practice, members noted that risks will inevitably materialise into real consumer harm on some occasions, and that it is crucial this is understood across the business and that contingency is put in place to mitigate the harm caused.

Fourth-parties

There were in-depth discussions from CCG members around the additional cyber risks posed when suppliers outsource some of their own operations (fourth-parties, fifth-parties, etc). Members noted that fourth-parties often pose an even greater risk than a firm’s third-parties, due to them often being critical in the supply chain but there being very low visibility of these risks from a firm’s perspective.

CCG members noted that fully managing fourth-party risk is extremely challenging due to this lack of visibility. However, it should be an ambition to make fourth-party risk management as robust as third-party risk management.

Members noted it is common practice to question a third-party supplier’s own supply chain as part of the due diligence process. However, it was acknowledged that this is often not done to great enough detail to effectively mitigate against fourth-party risks.

Members agreed that due to the lack of visibility and contact with fourth-party providers, greater due diligence should be undertaken at the contractual stage with a third-party supplier. This could include gaining full oversight of a third-party’s supply chain before starting a relationship with them, with contractual obligations for the third-party to update the firm if this supply chain changes.

Cloud service providers

CCG members discussed cloud service providers (CSPs) as a very different category of third-party, with different risk mitigation approaches needed. CCG members noted that CSPs tend to offer more resilience than other third-party providers, but their risk should still not be deprioritised due to the high level of reliance upon CSP systems by firms.

A major way in which CSPs differ from traditional third-party suppliers is their engagement style. CSPs tend not to entertain bespoke risk assurance approaches, and traditional good practices such as issuing security questionnaires are relatively ineffective.

Members agreed that the best way to gain assurance from CSPs is to foster a strong relationship with them. However, this is unrealistic for all but the largest firms. As a result, there is some level of reliance upon reviewing CSPs’ shared due diligence and audit reports and comparing these to a firm’s current risk appetite.

Financial sector cloud contract addendums can be useful to provide extra assurance from CSPs for firms to fulfil financial sector regulatory obligations.

Another angle to CSP risk is that of suppliers who operate on Software as a Service (SaaS) or Platform as a Service (PaaS) infrastructures. These suppliers use CSP infrastructure to provide their service.

This often leads to a juxtaposition of risk. On one hand, the added resilience of CSP infrastructure can lead to more robust cyber posture. However, the lack of full system visibility, paired with security risks associated with poor cloud platform configuration, adds additional risk.

CCG members agreed that this trade-off needs to be considered when engaging with suppliers who operate via SaaS or PaaS.

CCG members also discussed the concentration risk associated with using CSPs to house multiple important systems, in addition to potentially having additional third-party suppliers using the same CSP. The consensus of the groups was that in general this concentration risk is acceptable due to the high level of resilience of CSPs, and the high number of different regional server centres that CSPs operate across.

Some members raised the prospect of using multiple CSPs to mitigate concentration risk. Multi-cloud approaches involve the simultaneous hosting of services across multiple CSPs, which can increase resilience if one CSP has outages.

The feasibility of this approach was questioned by some members due to the resource cost and differences in infrastructure between different CSPs. This was countered by some members, with the suggestions that container technology can be used to allow for easier implementation across multiple CSP infrastructures, or for rapid redeployment in the case of a certain CSP becoming compromised.

Shared assurance models

There was much discussion and optimism within the CCGs around the prospect of using shared risk assurance models for third-party suppliers across the industry. Shared risk assurance models would allow multiple firms to input into the risk assessment of a given supplier, sharing the resource demand in carrying out thorough due diligence.

In theory, this would allow for less resource being dedicated to third-party risk assessments per firm, while delivering a greater overall assessment of a supplier’s risk.

The optimism from the CCGs was balanced by an acceptance that this is a hard system to implement, and that great care and attention should be given to ensure that this is implemented correctly. Frameworks should be designed to a high enough standard to ensure that the system provides an adequate level of risk assurance for all third-parties to all firms involved.

They also noted that both privacy and legal liability concerns would need to be carefully considered if any framework was developed with potential adoption in mind.

Third-party risk management products

Third-party risk management products can be used to evaluate the risk posed by certain third-party suppliers, and to gain risk oversight of a supply chain. The CCG members were generally disapproving of such products for several reasons.

Primarily, members felt that third-party risk management products provide little detail or context in their reports, resulting in potentially ill-advised advice. This is compounded by the fact that the cyber position of an organisation can change faster than the reporting of such a product, resulting in inaccurate reports.

Despite this, some CCG members saw benefit to using such products, acknowledging that they can be of some use at a very high level to gain oversight but should not be used for detailed analysis or final decisions.

In addition, CCG members noted that although the benefit of such products is questionable, the availability and visibility of their reports helps drive cyber improvements across industry.

Covid-19

Several aspects of third-party risk management and assurance have been affected by the Covid-19 pandemic and the subsequent change in working requirements. CCG members identified the following 3 changes:

  1. Third-party supplier auditing has changed in nature. On-site audits have not been possible which has added complications in gaining assurance. Nonetheless, some CCG members considered the replacement of on-site audits with virtual audits as an adequate replacement.
  2. Firms were forced to adapt quickly to new working environments, which often required the adoption of additional third-party suppliers such as video conferencing technology suppliers. CCG members acknowledged that due diligence was unlikely to have been fully completed due to the speed at which these changes were required, and reassessing due diligence in these circumstances is beneficial.
  3. Higher levels of remote working have led to an increase in cyber risk tolerance amongst CCG members who advised that a key aspect in managing this has been to increase education around remote working practices to staff and management.