Cybersecurity - not just an IT issue but a regulatory one too

In the FCA Business Plan 2017/18, chairman John Griffith-Jones warned that cyber-resilience was a key risk area for the financial services industry. This latest banking reform updater looks at the UK regulatory approach to cyber-resilience, and the latest EU and international regulatory developments.

As recent events have shown, cyber-attacks are increasing in scale and sophistication. However, whilst news and media attention in the UK has focused on the cyber-attack on the National Health Service (UK NHS), cyber-risk is something that has been on the regulatory radar for some time. The reason for this is that the FCA has seen a significant increase in cyber-attacks reported by firms over the past couple of years. Financial crime statistics from the UK Office for National Statistics suggest that there were 2.11 million victims of cyber-crime and 2.5 million incidents of bank and credit account fraud in 2015/16 alone.

However, it is not just banks that have been targeted. In February 2017 the internal systems of the Polish Financial Supervision Authority were compromised in an attempt to infiltrate Polish banks with malware. In the UK the FCA has seen attempts to use the FCA brand in phishing campaigns against the UK financial sector.

Often cyber-resilience is thought of as solely an IT issue. However, this is quite wrong as financial institutions’ resilience to cyber-attacks has significant implications for markets and consumers thereby linking it to both the FCA’s and PRA’s statutory objectives.

The FCA has a strategic objective which is to ensure that the relevant markets function well. It also has three operational objectives that are linked to the protection of consumers, the protection of financial markets and the promotion of competition. The PRA has three statutory objectives, one of which is a general objective to promote the safety and soundness of the firms it regulates. In discharging this general objective the PRA’s approach to banking supervision document states that the regulator will focus in particular on the risk of disruption to the continuity of supply of critical economic functions (i.e. payment, settlement and clearing, retail banking, corporate banking, intra-financial system borrowing and lending, investment banking, custody services, life insurance and general insurance).

Some of the key FCA principles and rules pertinent to cyber-resilience are:

• Principle 3 of the Principles for Businesses – a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems
• Principle 11 of the Principles for Businesses – a firm must deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice
• SYSC 3.1.1 – a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business
• SYSC 3.2.6 – a firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime
• SUP 15.3.1 – a firm must notify the FCA immediately it becomes aware, or has information which reasonably suggests, that any of the following has occurred, may have occurred or may occur in the foreseeable future: (i) the firm is failing to satisfy one or more of the threshold conditions; (ii) any matter which could have a significant adverse impact on the firm’s reputation; (iii) any matter which could affect the firm’s ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm; or (iv) any matter in respect of the firm which could result in serious financial consequences to the UK financial system or to other firms.

Following the recent cyber-attack on the UK NHS, the FCA established on its website a cyber-resilience web page. On this web page the FCA summarises its requirements in the following terms:

“Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets – hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.”

Further “soft” guidance has been given in a speech¹ by Nausicaa Delfas, the FCA Executive Director. One of the key points in this speech was that firms had to get the ‘basics’ right. Many firms believe that they are, but the regulator feels that the reality is different pointing to the 2016 Verizon Data Breach Investigations Report that found that ten vulnerabilities accounted for 85% of successful breaches in an analysis of 2,260 data breaches and 64,199 security incidents from 61 countries.

Firms conducting rigorous patch management and getting ‘cyber-basics’ right are key for the FCA which argues that firms properly implementing schemes such as ‘Cyber Essentials’ or the ‘10 steps to cyber security’ could eliminate about 80% of the cyber-threat they face. The FCA also wants firms to consider specific cyber-risks, urging them to carrying out robust and comprehensive risk assessments focussed on the impact of a distributed denial-of-service (DDoS) attack on their systems.

Whilst accepting that some IT concentration may be inevitable (with iCloud for example) the FCA is also looking for firms to consider concentration risk when subscribing to a given service. In relation to outsourcing to the ‘cloud’ and other third-party IT services the FCA issued finalised guidance² last year which illustrated ways in which the regulator’s rules could be complied with. The European Banking Authority issued a consultation on draft guidance on the use of cloud service providers in May this year. The consultation closes on 18 August 2017.

Awareness and education are also critical components for firms. In her speech Nausicaa Delfas discussed the need for firms to stop using a staff “policy” as the sole baseline for security training on the basis that staff view this as a corporate piece of paper that is easily forgotten. The FCA has been impressed with firms that have adopted approaches that have taken staff on a journey and have helped them become security focused individuals. Such approaches have included: introducing fake phishing scams, educating staff who click on them, rewarding those who avoid/spot attacks, taking further action on those who persistently do not.

Nausicaa Delfas also mentioned in her speech that there was a role for non-executive directors who should be able to satisfy themselves that their firm is managing cyber-risk effectively. The Institute of Directors specifically calls for non-executive directors to satisfy themselves “that systems of risk management are robust and defensible.”

Under Principle 11 of the Principles for Businesses³ a firm must report material cyber events to the FCA. Firms may consider an incident material if it:

• results in significant loss of data, or the availability or control of its IT systems;
• impacts a large number of victims; or
• results in unauthorised access to, or malicious software present on, its information and communication systems.

The PRA has 8 Fundamental Rules that are similar to the FCA’s Principles for Businesses. In particular:

• Fundamental Rule 2: a firm must conduct its business with due skill, care and diligence
• Fundamental Rule 5: a firm must have effective risk strategies and risk management systems
• Fundamental Rule 6: a firm must organise and control its affairs responsibly
• Fundamental Rule 7: a firm must deal with its regulators in an open and cooperative way and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice.

Among other things the Risk Control part of the PRA Rulebook notes⁴ that:

• a firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm’s activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm
• a firm must adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm’s activities, processes and systems, in light of that level of risk tolerance.

The Group Risk Systems part of the PRA Rulebook also notes⁵, among other things, that a firm must:

• have adequate, sound and appropriate risk management processes and internal control mechanisms for the purpose of assessing and managing its own exposure to group risk, including sound administrative and accounting procedures; and
• ensure that its group has adequate, sound and appropriate risk management processes and internal control mechanisms at the level of the group, including sound administrative and accounting procedures.

In 2014 Andrew Gracie, Bank of England Executive Director for Resolution, gave a speech⁶ in which he briefly discussed the broader question of framing regulatory expectations as regards cyber-resilience. He said:

“Detail prescription is not going to work. As technology, and the threats related to it, evolve, any attempt to etch standards in stone is likely to become outmoded and ineffective. But we will take a systemic, risk-sensitive, intelligence-based view as to what good practice looks like in relation to cyber; and we will take action in the face of inadequate preparation on the part of firms. Just as the threat evolves and adapts, so will our expectations.”

More recently, in May 2016 the Bank of England’s Chief Information Security Officer, Will Brandon, gave a speech on cyber-risk⁷ noting that the trouble with most cyber-attacks is that they are not exclusively or even mainly technical in nature. Rather, most cyber-attacks exploit people and/or processes by using social engineering: sending emails with tempting but malicious links or attachments etc. In doing so, the culture, training and integrity of staff are exploited. Other key points in this speech included:

• cyber is, to a greater extent, a leadership and management issue. Leadership needs to be applied from the top, not just from the IT department
• processes need to be managed holistically, via the same governance approaches that are used in other parts of a firm’s business. This means, among other things, clear policies and standards, good management information, and a sensible approach to compliance
• oversight may be needed, a formal means for the firm to assess and manage risk
• managers should take ownership of information security risk as they would any other risk
• outdated operating systems, poor patching, untrained staff, unsegregated networks, weak security monitoring can all be fixed by a firm. But less obvious, but just as important, may be a firm’s wider ability to respond to a critical incident. If the firm does not have a plan, or it has not rehearsed it at all levels, an incident is unlikely to go well.

A further Bank of England speech touching on cyber-resilience was published on 13 June 2017. In ‘The Bank of England’s approach to operational resilience’ Charlotte Gerken (Director, Supervisory Risk Specialists) noted that cyber has a number of features that make it different from other threats to banks’ operation resilience:

• it is an activity undertaken by individuals, groups and sometimes states. It is not a natural or error based risk. There is a human protagonist;
• the threat is adaptive. Attackers adapt, adjust and scale their activities to discover what works.
• detection and identifying the attacker is complex. It is often hard to detect that an operation is under attack and it can be difficult to trace the source; and
• recovery may be threatened. The Bank of England’s standard approach to business continuity involves operating with common systems environments between primary and secondary sites, mirroring data between the two. This could, in the face of a successful cyber-attack, be vulnerable to complete loss of applications or destruction or corruption of data.

For those banks and financial market infrastructures that are considered to be core to the UK financial system the UK authorities launched in May 2014 a voluntary programme called ‘CBEST’⁸. The origins of CBEST can be found in a Financial Policy Committee (FPC) recommendation in 2013 requesting that HM Treasury and the UK regulators work together with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber-attack. A further FPC recommendation in 2015, replacing the 2013 recommendation, called for the completion of CBEST tests, the adoption of individual cyber-resilience action plans and the establishment of arrangements for CBEST tests to become one component of regular cyber-resilience assessment. 

The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live red team tests, within a controlled testing environment. The results should provide a direct readout on a firm’s capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability.

A record from an FPC meeting in November last year noted that the first round of the CBEST vulnerability testing programme was close to completion, thirty out of 35 core firms and financial market infrastructures had completed CBEST tests (three times the number from a year earlier), and the results showed that financial sector resilience against cyber-attack was increasing.

Last September the PRA published a consultation paper⁹ regarding a new senior management function, the Chief Operations senior manager function which covered those individuals with overall responsibility for managing and ensuring the operational continuity and resilience of, the internal operations, systems and technology of a firm¹⁰. To complement this new senior management function the PRA also proposed the creation of a new prescribed responsibility for managing, and ensuring the operational continuity and resilience of, the internal operations, systems and technology of a firm. The deadline for comments on these new proposals was 9 January 2017.

In May 2017, the PRA published a policy statement¹¹ setting out feedback to its earlier consultation and final rules.  Importantly, the PRA revised the definition of the Chief Operations senior management function so that it covers ‘responsibility for managing the internal operations and technology of a firm’. It also deleted the word ‘systems’ from the original proposed definition of the senior management function on the basis that it is already covered by the words ‘internal operations/technology’. The PRA has also allowed the Chief Operations senior management function to be split among more than one individual, as long as the split is justified and accurately reflects the firm’s organisational structure and provided splitting does not leave any part of the Chief Operating Officer’s responsibilities out. The possibility of splitting the Chief Operations senior management function is further covered in a PRA supervisory statement¹² which was also updated at the same time. In terms of the prescribed responsibility that accompanies the Chief Operations senior manager function, the PRA made some amendments so that it is more aligned with its original intent of ensuring senior management accountability for the firm’s operations and technology including when these are outsourced.

In terms of when the Chief Operations senior management function comes into effect, the PRA policy statement was not entirely clear. The PRA mentioned that a number of firms had requested a transitional period to implement the new requirements. The PRA’s response was that it would shortly publish a consultation paper setting out consequential changes to its forms to reflect the new requirements.

This consultation paper was published by the PRA on 13 June 2017¹³. The PRA proposed that banks and other financial institutions currently subject to the senior managers regime would have to submit notifications or applications relating to the Chief Operations senior management function from 12 November 2017.

In July 2016, there was published in the Official Journal of the EU the Cyber-Security Directive¹⁴ (otherwise known as the Network and Information Security Directive). Member States must transpose the Directive into national law by 9 May 2018, and apply their national measures from 10 May 2018.

Importantly, the Directive establishes, among other things, certain security and notification requirements for “operators of essential services”, which include certain banks and financial market infrastructures that meet the criteria in Article 5(2) of the Directive which provides that:

• the entity provides a service which is essential for the maintenance of critical societal and/or economic activities
• the provision of that service depends on network and information systems; and
• an incident would have significant disruptive effects on the provision of that service.

Member States are to identify the operators of essential services within an establishment on their territory by 9 November 2018, and to review and update their list at least every two years after 9 May 2018.

In October 2016, the G7 published fundamental elements of cyber-security for the financial sector¹⁵. These high level principles are designed for financial sector entities, both private and public, to be tailored to their specific operational and threat landscapes, role in the sector, and legal and regulatory requirements. Arguably the principles are an attempt by the G7 to encourage regulators and firms to approach cyber security from a risk management perspective.

The high level principles include the following:

• cyber-security strategy and framework: establish and maintain a cyber-security strategy and framework tailored to specific risks and appropriately informed by international, national and industry standards and guidelines
• governance: define and facilitate performance of roles and responsibilities for personnel implementing, managing and overseeing the effectiveness of the cyber-security strategy and framework to ensure accountability; and provide adequate resources, appropriate authority and access to the governing authority
• risk and control assessment: identify functions, activities, products and services – including interconnections, dependencies and third parties – prioritise their relative importance, and assess their respective cyber-risks. Identify and implement controls including systems, policies, procedures and training to protect against and manage those risks within the tolerance set by the governing authority
• monitoring: establish systematic monitoring processes to rapidly detect cyber-incidents and periodically evaluate the effectiveness of identified controls, including though network monitoring, testing, audits and exercises
• response: timely (i) asses the nature, scope and impact of a cyber-incident; (ii) contain the incident and mitigate its impact; (iii) notify internal and external stakeholders and (iv) coordinate joint response activities as needed
• recovery: resume operations responsibly while allowing for continued remediation including (i) eliminating harmful remnant of the incident; (ii) restoring systems and data to normal and confirming normal state; (iii) identifying and mitigating all vulnerabilities that were exploited; (iv) remediating vulnerabilities to prevent similar incidents; and (v) communicating appropriately internally and externally
• information sharing: engage in the timely sharing of reliable, actionable cyber-security information with internal and external stakeholders on threats, vulnerabilities, incidents and responses to enhance defences, limit damage, increase situational awareness and broaden learning
• continuous learning: review the cyber-security strategy and framework regularly and when events warrant changes in cyber-risks, allocate resources, identify and remediate gaps and incorporate lessons learned.

It is clear that cyber-resilience is high on the regulatory agenda and both the FCA and PRA will be less tolerant with those firms that are lagging behind in their cyber-resilience preparations. Both the Bank of England and the FCA have said in speeches that cyber-attacks generally exploit processes and people and therefore getting the basics right, following the ‘Cyber Essentials’, and training staff in a manner that takes them on a journey to become security focussed individuals are essential. Both have also pointed out that cyber-resilience is a leadership and management issue, the introduction by the PRA of the Chief Operations senior manager function will further formalise the issue.