Publication
The Art of Dispute: Key case law and recent developments in dispute resolution
Our newsletter provides practical advice and a concise analysis of key case law and recent developments in dispute resolution.
Global | Publication | July 2017
In the FCA Business Plan 2017/18, chairman John Griffith-Jones warned that cyber-resilience was a key risk area for the financial services industry. This latest banking reform updater looks at the UK regulatory approach to cyber-resilience, and the latest EU and international regulatory developments.
As recent events have shown, cyber-attacks are increasing in scale and sophistication. However, whilst news and media attention in the UK has focused on the cyber-attack on the National Health Service (UK NHS), cyber-risk is something that has been on the regulatory radar for some time. The reason for this is that the FCA has seen a significant increase in cyber-attacks reported by firms over the past couple of years. Financial crime statistics from the UK Office for National Statistics suggest that there were 2.11 million victims of cyber-crime and 2.5 million incidents of bank and credit account fraud in 2015/16 alone.
However, it is not just banks that have been targeted. In February 2017 the internal systems of the Polish Financial Supervision Authority were compromised in an attempt to infiltrate Polish banks with malware. In the UK the FCA has seen attempts to use the FCA brand in phishing campaigns against the UK financial sector.
Often cyber-resilience is thought of as solely an IT issue. However, this is quite wrong as financial institutions’ resilience to cyber-attacks has significant implications for markets and consumers thereby linking it to both the FCA’s and PRA’s statutory objectives.
The FCA has a strategic objective which is to ensure that the relevant markets function well. It also has three operational objectives that are linked to the protection of consumers, the protection of financial markets and the promotion of competition. The PRA has three statutory objectives, one of which is a general objective to promote the safety and soundness of the firms it regulates. In discharging this general objective the PRA’s approach to banking supervision document states that the regulator will focus in particular on the risk of disruption to the continuity of supply of critical economic functions (i.e. payment, settlement and clearing, retail banking, corporate banking, intra-financial system borrowing and lending, investment banking, custody services, life insurance and general insurance).
Some of the key FCA principles and rules pertinent to cyber-resilience are:
Following the recent cyber-attack on the UK NHS, the FCA established on its website a cyber-resilience web page. On this web page the FCA summarises its requirements in the following terms:
“Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets – hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.”
Further “soft” guidance has been given in a speech1 by Nausicaa Delfas, the FCA Executive Director. One of the key points in this speech was that firms had to get the ‘basics’ right. Many firms believe that they are, but the regulator feels that the reality is different pointing to the 2016 Verizon Data Breach Investigations Report that found that ten vulnerabilities accounted for 85% of successful breaches in an analysis of 2,260 data breaches and 64,199 security incidents from 61 countries.
Firms conducting rigorous patch management and getting ‘cyber-basics’ right are key for the FCA which argues that firms properly implementing schemes such as ‘Cyber Essentials’ or the ‘10 steps to cyber security’ could eliminate about 80% of the cyber-threat they face. The FCA also wants firms to consider specific cyber-risks, urging them to carrying out robust and comprehensive risk assessments focussed on the impact of a distributed denial-of-service (DDoS) attack on their systems.
Whilst accepting that some IT concentration may be inevitable (with iCloud for example) the FCA is also looking for firms to consider concentration risk when subscribing to a given service. In relation to outsourcing to the ‘cloud’ and other third-party IT services the FCA issued finalised guidance2 last year which illustrated ways in which the regulator’s rules could be complied with. The European Banking Authority issued a consultation on draft guidance on the use of cloud service providers in May this year. The consultation closes on 18 August 2017.
Awareness and education are also critical components for firms. In her speech Nausicaa Delfas discussed the need for firms to stop using a staff “policy” as the sole baseline for security training on the basis that staff view this as a corporate piece of paper that is easily forgotten. The FCA has been impressed with firms that have adopted approaches that have taken staff on a journey and have helped them become security focused individuals. Such approaches have included: introducing fake phishing scams, educating staff who click on them, rewarding those who avoid/spot attacks, taking further action on those who persistently do not.
Nausicaa Delfas also mentioned in her speech that there was a role for non-executive directors who should be able to satisfy themselves that their firm is managing cyber-risk effectively. The Institute of Directors specifically calls for non-executive directors to satisfy themselves “that systems of risk management are robust and defensible.”
Under Principle 11 of the Principles for Businesses3 a firm must report material cyber events to the FCA. Firms may consider an incident material if it:
The PRA has 8 Fundamental Rules that are similar to the FCA’s Principles for Businesses. In particular:
Among other things the Risk Control part of the PRA Rulebook notes4 that:
The Group Risk Systems part of the PRA Rulebook also notes5, among other things, that a firm must:
In 2014 Andrew Gracie, Bank of England Executive Director for Resolution, gave a speech6 in which he briefly discussed the broader question of framing regulatory expectations as regards cyber-resilience. He said:
“Detail prescription is not going to work. As technology, and the threats related to it, evolve, any attempt to etch standards in stone is likely to become outmoded and ineffective. But we will take a systemic, risk-sensitive, intelligence-based view as to what good practice looks like in relation to cyber; and we will take action in the face of inadequate preparation on the part of firms. Just as the threat evolves and adapts, so will our expectations.”
More recently, in May 2016 the Bank of England’s Chief Information Security Officer, Will Brandon, gave a speech on cyber-risk7 noting that the trouble with most cyber-attacks is that they are not exclusively or even mainly technical in nature. Rather, most cyber-attacks exploit people and/or processes by using social engineering: sending emails with tempting but malicious links or attachments etc. In doing so, the culture, training and integrity of staff are exploited. Other key points in this speech included:
A further Bank of England speech touching on cyber-resilience was published on 13 June 2017. In ‘The Bank of England’s approach to operational resilience’ Charlotte Gerken (Director, Supervisory Risk Specialists) noted that cyber has a number of features that make it different from other threats to banks’ operation resilience:
For those banks and financial market infrastructures that are considered to be core to the UK financial system the UK authorities launched in May 2014 a voluntary programme called ‘CBEST’8. The origins of CBEST can be found in a Financial Policy Committee (FPC) recommendation in 2013 requesting that HM Treasury and the UK regulators work together with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber-attack. A further FPC recommendation in 2015, replacing the 2013 recommendation, called for the completion of CBEST tests, the adoption of individual cyber-resilience action plans and the establishment of arrangements for CBEST tests to become one component of regular cyber-resilience assessment.
The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live red team tests, within a controlled testing environment. The results should provide a direct readout on a firm’s capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability.
A record from an FPC meeting in November last year noted that the first round of the CBEST vulnerability testing programme was close to completion, thirty out of 35 core firms and financial market infrastructures had completed CBEST tests (three times the number from a year earlier), and the results showed that financial sector resilience against cyber-attack was increasing.
Last September the PRA published a consultation paper9 regarding a new senior management function, the Chief Operations senior manager function which covered those individuals with overall responsibility for managing and ensuring the operational continuity and resilience of, the internal operations, systems and technology of a firm10. To complement this new senior management function the PRA also proposed the creation of a new prescribed responsibility for managing, and ensuring the operational continuity and resilience of, the internal operations, systems and technology of a firm. The deadline for comments on these new proposals was 9 January 2017.
In May 2017, the PRA published a policy statement11 setting out feedback to its earlier consultation and final rules. Importantly, the PRA revised the definition of the Chief Operations senior management function so that it covers ‘responsibility for managing the internal operations and technology of a firm’. It also deleted the word ‘systems’ from the original proposed definition of the senior management function on the basis that it is already covered by the words ‘internal operations/technology’. The PRA has also allowed the Chief Operations senior management function to be split among more than one individual, as long as the split is justified and accurately reflects the firm’s organisational structure and provided splitting does not leave any part of the Chief Operating Officer’s responsibilities out. The possibility of splitting the Chief Operations senior management function is further covered in a PRA supervisory statement12 which was also updated at the same time. In terms of the prescribed responsibility that accompanies the Chief Operations senior manager function, the PRA made some amendments so that it is more aligned with its original intent of ensuring senior management accountability for the firm’s operations and technology including when these are outsourced.
In terms of when the Chief Operations senior management function comes into effect, the PRA policy statement was not entirely clear. The PRA mentioned that a number of firms had requested a transitional period to implement the new requirements. The PRA’s response was that it would shortly publish a consultation paper setting out consequential changes to its forms to reflect the new requirements.
This consultation paper was published by the PRA on 13 June 201713. The PRA proposed that banks and other financial institutions currently subject to the senior managers regime would have to submit notifications or applications relating to the Chief Operations senior management function from 12 November 2017.
In July 2016, there was published in the Official Journal of the EU the Cyber-Security Directive14 (otherwise known as the Network and Information Security Directive). Member States must transpose the Directive into national law by 9 May 2018, and apply their national measures from 10 May 2018.
Importantly, the Directive establishes, among other things, certain security and notification requirements for “operators of essential services”, which include certain banks and financial market infrastructures that meet the criteria in Article 5(2) of the Directive which provides that:
Member States are to identify the operators of essential services within an establishment on their territory by 9 November 2018, and to review and update their list at least every two years after 9 May 2018.
In October 2016, the G7 published fundamental elements of cyber-security for the financial sector15. These high level principles are designed for financial sector entities, both private and public, to be tailored to their specific operational and threat landscapes, role in the sector, and legal and regulatory requirements. Arguably the principles are an attempt by the G7 to encourage regulators and firms to approach cyber security from a risk management perspective.
The high level principles include the following:
It is clear that cyber-resilience is high on the regulatory agenda and both the FCA and PRA will be less tolerant with those firms that are lagging behind in their cyber-resilience preparations. Both the Bank of England and the FCA have said in speeches that cyber-attacks generally exploit processes and people and therefore getting the basics right, following the ‘Cyber Essentials’, and training staff in a manner that takes them on a journey to become security focussed individuals are essential. Both have also pointed out that cyber-resilience is a leadership and management issue, the introduction by the PRA of the Chief Operations senior manager function will further formalise the issue.
Expect the unexpected – cyber security – 2017 and beyond. Speech by Nausicaa Delfas on 24 April 2017
FCA Finalised Guidance 16/5 – Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services (July 2016)
A firm must deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice
See 2.1 and 2.2 of Risk Control
See 2.1 of Group Risk Systems
Managing cyber risk – the global banking perspective (10 June 2014)
Remarks to the City Week conference – speech by Will Brandon (10 May 2016)
Consultation Paper 34/16: Strengthening individual accountability in banking and insurance: amendments and optimisations
A firm within scope of the senior managers regime – i.e. a bank
Policy Statement 12/17: Strengthening individual accountability in banking and insurance: amendments and optimisations
Supervisory Statement 28/15: Strengthening individual accountability in banking
Consultation Paper 8/17: Strengthening accountability in banking and insurance: optimisations to the SIMR and changes to SMR forms
Directive 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
For financial market infrastructures the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions co-published in June 2016, Guidance on
cyber-resilience for financial market infrastructures
Publication
Our newsletter provides practical advice and a concise analysis of key case law and recent developments in dispute resolution.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023