Cybersecurity: Not just an IT issue, but a regulatory one too

Introduction

For some time now financial services firms (firms) have been aware that cyber-resilience is a key area of risk and that it’s not just an IT issue but a regulatory one too. When firms moved the majority of their workforce to remote working to protect them from the COVID-19 pandemic, the risk of a successful cyber-attack increased significantly. In June, the European Commission noted that just after the COVID-19 pandemic began, the use of finance mobile apps in Europe went up by 72 per cent in just one week, due to social distancing and lockdown restrictions. At the same time, cyber-attacks on firms rose by 38 per cent¹.

For some time, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have been vocal in their support of firms becoming more resilient to cyber-attacks. The PRA views cyber-attacks in light of its financial stability objective whilst the FCA sees it in light of its consumer protection and market integrity objectives.

In regulatory terms cyber-resilience has become embedded in the wider concept of operational resilience covering different types of operational disruption. Cyber-attacks are, of course, an important element of this concept although the COVID-19 pandemic has illustrated that it is not the only type of disruption that financial institutions face. Significantly, as the figures mentioned above illustrate one form of operational disruption, (COVID-19) can increase the risk of a cyber-attack as criminals seek to take advantage of the difficult circumstances firms find themselves in.

In this briefing note we look at the key FCA and PRA rules underpinning cyber-resilience and what both regulators are looking for from firms. We also look at some of the lessons learned from regulatory intervention where a firm has suffered a cyber-attack. Finally, we cover recent European and international regulatory developments, and risk and compliance considerations.

Senior managers

In the UK, the Senior Managers and Certification Regime (SM&CR) has applied to the banking sector since March 2016 and to dual regulated insurers since December 2018. Under the SM&CR, individuals who perform the ‘Chief Operations’ senior management function (SMF24) are required to have responsibility for managing the internal operations or technology of the firm or of a part of the firm. This includes responsibility for cybersecurity. The SMF24 function can be split among more than one individual, as long as the split is justified and accurately reflects the firm’s organisational structure and provided splitting does not leave any part of the Chief Operating Officer’s responsibilities out.

Since December 2019, the SM&CR has also applied to FCA solo regulated firms². When implementing the SM&CR for solo regulated firms, the FCA took a different approach than it did for the banking sector on the basis that it wanted the regime to be proportionate and flexible enough to accommodate the different business models and governance structures of firms. In light of this, it created three different types of solo regulated firm for the purposes of the SM&CR and the requirements that apply depend on the firm classification: core firm, limited scope firm and enhanced firm. Only enhanced firms (the larger solo regulated firms) are required to appoint an individual to the SMF24 function. Where a firm does not have an individual performing the SMF24 function, it is down to the firm itself to determine the most appropriate individual who is accountable.

The FCA rules

Some of the key FCA principles and rules pertinent to cyber-resilience are:

• Principle 3 of the Principles for Businesses – a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
• Principle 11 of the Principles for Businesses – a firm must deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.
• SYSC 3.1.1 – a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.
• SYSC 3.2.6 – a firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.
• SUP 15.3.1 – a firm must notify the FCA immediately it becomes aware, or has information which reasonably suggests, that any of the following has occurred, may have occurred or may occur in the foreseeable future: (i) the firm is failing to satisfy one or more of the threshold conditions; (ii) any matter which could have a significant adverse impact on the firm’s reputation; (iii) any matter which could affect the firm’s ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm; or (iv) any matter in respect of the firm which could result in serious financial consequences to the UK financial system or to other firms.

On the FCA’s website, Principle 11 is further considered in the context of a cyber event. The FCA states that a firm must report material cyber events, this is where a cyber-attack:

• Results in significant loss of data, or the availability or control of its IT systems.
• Impacts a large number of victims.
• Results in unauthorised access to, or malicious software present on, its information and communication systems.

What is the FCA looking for?

In terms of implementing the above rules in the cyber-resilience context, the FCA³ wants all firms to develop a security culture, from the board down to every employee. Firms should be able to identify and prioritise their information assets – hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.

As with other areas covered by FCA rules, further “soft” guidance for firms has come in the form of FCA speeches. For example, Nausicca Delfas’ speech in September 2016⁴ alerted firms that getting ‘cyber-basics’ right were key for the regulator, arguing that those firms properly implementing schemes such as the ‘Cyber Essentials’ or ‘10 steps to cyber security’ could eliminate about 80 per cent of the cyber-threats they face.

Another piece of soft guidance was provided by the FCA’s Robin Jones in a speech in January 2018⁵. He emphasised that firms need to have an understanding of their key assets and be constantly assessing where they are vulnerable. He also drew attention to the fact that it’s not just about technology, people can often be the weakest link with staff awareness being a vital element of protection. For the FCA, three key lessons from previous incidents were: (i) addressing the basics, (ii) having in place robust contingency plans and (iii) ensuring such plans have a communication plan. In relation to the second item, the best way to mitigate a ransomware attack was to have a back-up: know and agree the organisation’s tolerance for systems or data being unavailable.

Later in 2018 the FCA published ‘Cyber and technology resilience: themes from cross-sector survey 2017/18’. The highlights from this paper included that firms identified governance as the area where they had the strongest capability although in some of the larger firms a lack of cyber and technology knowledge was identified at board level. The weakest areas firms identified included people, third-party management and protecting key assets. The FCA found that a significant number of firms struggled to maintain a view of what information they held and of their third parties. Firms also found challenges in identifying and managing their high-risk staff and then educating those employees with access to critical systems or sensitive data. A third of firms were found not performing regular cyber assessments. Most knew where their data was but described it as a challenge to maintain that picture. Nearly half of firms did not upgrade or retire old IT systems in time. Only 56 per cent said that they could measure the effectiveness of their information asset controls.

On January 9, 2020, the FCA published a statement on its website explaining the implications for operational resilience for firms using outsourcing and other third-party service providers. In terms of outsourcing and data security, the regulator stated that it expected firms to manage the amount of data being stored, processed or transmitted by third-party providers on behalf of the firm, and how critical to operations that data is. This includes how firms configure and monitor their services to reduce security and compliance incidents. The regulator also said that firms should implement an appropriate level of security to protect outsourced data. Where firms outsource to the cloud, they should refer to the FCA’s finalised guidance on the topic⁶.

The PRA approach

The PRA has eight Fundamental Rules that are similar to the FCA’s Principles for Businesses. In particular:

• Fundamental Rule 2: a firm must conduct its business with due skill, care and diligence.
• Fundamental Rule 5: a firm must have effective risk strategies and risk management systems.
• Fundamental Rule 6: a firm must organise and control its affairs responsibly.
• Fundamental Rule 7: a firm must deal with its regulators in an open and cooperative way and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice.

In the cyber-resilience context⁷, the Fundamental Rules are further supplemented by the Risk Control part of the PRA Rulebook. The rules in this part of the PRA Rulebook cover risk control, risk committee and group arrangements and are derived from the Capital Requirements Directive IV and the Markets in Financial Instruments Directive II. They are supplemented by guidance in the form of a couple of PRA Supervisory Statements including Supervisory Statement 21/15: Internal governance. This particular Supervisory Statement has been updated a number of times and its current incarnation is the update made in April 2017. Among other things the Supervisory Statement mentions that the PRA expects the following matters to be dealt with in a firm’s business continuity policy:

• Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources.
• The recovery priorities for the firm’s operations.
• Communication arrangements for internal and external concerned parties (including the appropriate regulator, clients and the media).
• Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information.
• Processes to validate the integrity of information affected by the disruption.
• Regular testing of the business continuity policy in an appropriate and proportionate manner in accordance with Rule 2.8 in the General Organisational Requirements Part of the PRA Rulebook.

Like the FCA, the PRA (and more widely the Bank of England (BoE)) have produced soft guidance in the form of speeches. For instance in 2014 Andrew Gracie gave a speech⁸ in which he briefly discussed the broader question of framing regulatory expectations as regards cyber-resilience. He said:

“Detailed prescription is not going to work. As technology, and the threats related to it, evolve, any attempt to etch standards in stone is likely to become outmoded and ineffective. But we will take a systemic, risk-sensitive, intelligence-based view as to what good practice looks like in relation to cyber; and we will take action in the face of inadequate preparation on the part of firms. Just as the threat evolves and adapts, so will our expectations.”

In May 2016 the BoE’s Chief Information Security Officer, Will Brandon, gave a speech⁹ on cyber-risk noting that the trouble with most cyber-attacks was that they were not exclusively or even mainly technical in nature. Rather, most cyber-attacks exploited people and/or processes by using social engineering: sending emails with tempting but malicious links or attachments, etc. In doing so, the culture, training and integrity of staff were exploited. Other key points in the speech included that cyber is, to a greater extent, a leadership and management issue. Leadership needs to be applied from the top, not just from the IT department.

A further BoE speech in 2017¹⁰ from Charlotte Gerken touched on cyber-resilience, noting that a cyber-attack had a number of features that made it different from other threats to banks’ operational resilience:

• It is an activity undertaken by individuals, groups and sometimes states. It is not a natural or error-based risk. There is a human protagonist.
• The threat is adaptive. Attackers adapt, adjust and scale their activities to discover what works.
• Detecting and identifying the attacker is complex. It is often hard to detect that an operation is under attack and it can be difficult to trace the source.

A BoE speech in 2018 from Lyndon Nelson¹¹ noted, among other things, that a cyber-threat requires firms to understand themselves, their strengths and their weaknesses. It becomes essential for them to understand their most critical assets and their most critical functions. In terms of what defines critical, the speech mentioned several things including: the importance to the customer; the importance to the integrity of the institution; and the importance to the sector and the wider economy.

A further speech by Lyndon Nelson in 2018¹² took stock of global cybersecurity regulatory initiatives. In particular, the speech noted that supervisory assessments across the globe highlighted recurring and prevalent weaknesses, four of which were:

• Insufficient cyber strategic planning and influencing. The effectiveness of cyber-resilience measures were undermined by deficiencies in board-level influencing, organisational design, operating model and strategy. A strong example of this was the thematic under-investment across the sector in the security culture.
• Insufficient industry oversight of third-party suppliers and supply chain. Firms in the sector tended to have an inadequate approach for oversight of their supply chain and third parties that often provided their information processing or IT systems.
• Ineffective testing of people, processes and technology. The sector as a whole did not conduct adequate effectiveness testing of cyber across people, processes and technology. Assurance was largely gained through audits and control sampling which was not sufficient. Sampling by its nature was partial, whereas cyber-defence often needed to be looked at holistically.
• Inadequate cyber-hygiene. Cyber-hygiene, which involves having basic and core practices and processes in place to improve cybersecurity, was not consistently followed in some firms. Examples of hygiene issues included shortcomings in vulnerability management and information storage, poor configuration of IT infrastructure and poor user account and password management. These issues were exhibited by both large and small firms and those from across the full range of IT infrastructure in terms of size, complexity and budgetary resources. Inadequate cyber-hygiene was the root cause of over 80 per cent of successful cyber-attacks on firms.

Joint approach

In July 2018, the PRA and FCA co-published a discussion paper on operational resilience, which they followed up with a consultation paper on the same topic in December 2019¹³. In the consultation paper the UK regulators defined operational resilience as the ability of firms to prevent, adapt, respond to, recover and learn from operational disruptions such as a cyber-attack. The consultation paper set out proposals to change how firms approach their operational resilience, in summary it proposed that firms:

• Identify their important business services that, if disrupted, could cause harm to consumers or market integrity.
• Identify and document the people, processes, technology, facilities and information that support a firm’s important business services.
• Set impact tolerances for each important business service (i.e. thresholds for maximum tolerable disruption).
• Test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios.
• Conduct lessons learned exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible.
• Develop internal and external communication plans for when important business services are disrupted.
• Create a self-assessment document.

In March 2020, it was announced that the consultation deadline would be extended to October 1, 2020. It is currently planned that firms will not need to meet the requirements resulting from the consultation before the end of 2021. While operational resilience remains a top supervisory priority, the extension is intended to alleviate the burden on firms in the wake of the COVID-19 pandemic. However, many firms will have implemented the proposals before the deadline as part of their pandemic response.

CBEST

For those banks and financial market infrastructures that are considered to be core to the UK financial system, the UK authorities launched in May 2014 a voluntary programme called ‘CBEST’. The origins of CBEST can be found in a Financial Policy Committee recommendation in 2013 requesting that HM Treasury and the UK regulators work together with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber-attack. A CBEST implementation guide has been developed by the BoE Sector Cyber Team for the benefit of CBEST participants and service providers. It explains the key phases, activities, deliverables and interactions involved in a CBEST assessment. Other CBEST publications include a services assessment guide and a guide on understanding cyber-threat intelligence operations.

CQUEST

For situations where the UK regulators want to assess, at a high level, a firm’s cyber-resilience capability, the PRA and FCA have created a questionnaire. CQUEST consists of multiple-choice questions covering all aspects of cyber-resilience, such as:

• Does the firm have a board-approved cybersecurity strategy?
• How does it identify and protect its critical assets?
• How does it detect and respond to an incident, recover the business and learn from the experience?

The answers provide a useful snapshot of a firm’s cyber-resilience capability, and highlight areas for further development.

Cyber simulation

On September 27, 2019, the BoE published a webpage containing the high-level findings of its cyber-simulation exercise (SIMEX18) held in November 2018. The purpose of SIMEX18 was to exercise participants from 29 of the most systemically important firms and financial market infrastructures, who during the exercise responded to a cyber-attack scenario targeting the financial sector.

The BoE’s observations from SIMEX18 included that:

• Improvements could be made at an operational level in respect of the coordination of firms.
• There was significant variance among participants in relation to system integrity issues, participant decision making, and risk appetite for suspending services. The BoE will focus future work on the production of industry guidelines and good practice for managing potential controlled suspension of services and system integrity issues.
• The ability for participants to support other operationally paralysed banks is constrained by the different ways in which data is stored. Further work is anticipated to scope the technical and data requirements for providing services via alternative channels. This will be followed by a strategy paper and playbook to support coordination of this contingency during a live incident.

Industry insight

In 2017, the FCA established cyber co-ordination groups which meet every quarter and allow firms to share knowledge of their common experiences and discuss best practices in their approach to cybersecurity. Each cyber co-ordination group  represents a specific sub-sector. In 2019, these sub-sector groups came from: insurance, fund management, investment management, retail banking, retail investments and lending, brokers and principal trading firms, and trading venues and benchmark administrators. Firm participation has grown from 175 in 2018, to over 185 firms in 2019.

In March 2019, the FCA published an industry insights paper on cybersecurity. Whilst not FCA guidance, the paper sets out cyber practices and experiences of firms that have participated in the  cyber coordination groups and is intended to be particularly helpful for small- and medium-sized firms. In terms of identifying what firms need to protect, the paper shared the following insights and practices:

In March 2020, the FCA published a web page summarising the latest discussions from the cyber co-ordination groups. Whilst the information on the FCA web page is not FCA guidance, it is useful. For example in relation to malicious emails, the web page shared, among things, the following insights on treating email addresses as assets:

Tackling malicious emails requires a comprehensive understanding and management of email addresses. This allows further management of the threat to reduce the likelihood that malicious emails will lead to compromise. CCG members shared the following insights and practices:

Treat email addresses as public information. The format of email addresses can be easily guessed and some email addresses can be easily found online. Email addresses should be treated as if they are publicly available information. It is important to account for this in risk assessments and when developing or adapting controls.

Make usernames for other IT systems unique. Avoid using email addresses as usernames. Create unique usernames that are not easily guessable, especially for externally facing systems (that connect to the internet).

Threat actors will often send multiple empty emails to understand which email addresses are actively used and those that are not. Where possible, switch off the standard email response message for non-active/existent email addresses.

Provide additional security for high-risk user groups. Create more complex email addresses for key decision makers and high-risk user groups to reduce the chance of them being successfully targeted. Consider whether high-risk users require the ability to receive emails from outside the organisation, or indeed send to external mailboxes.

Distribution lists are an easy route for a threat actor to target multiple users within an organisation. Consider whether distribution lists can be used from outside of the organisation and whether use of them can be restricted internally.

More recently on July 1, 2020, UK Finance published a paper on managing cyber incidents, designed to assist firms in thinking about their response plans. The paper emphasised the importance of firms being able to action an effective response to a cyber-attack.

Key takeaways included:

• Plan: Firms should plan for ‘severe but plausible disruption scenarios’, as stated by the BoE, PRA and FCA.
• Prioritise: Firms should identify their core assets and operations, taking into account what is needed to protect customers, and the risks around them to help put effective controls in place and to inform what to prioritise immediately following an incident.
• Regulatory obligations: Firms must take into account their regulatory obligations around cyber incidents – including Principles 3 and 11 of the FCA’s Principles for Businesses, SYSC 3.1.1 and 3.2.6, SUP 15.3.1 and PRA Fundamental Rules 2, 5, 6 and 7.
• The team: A risk-based approach should be taken when deciding the composition of the incident response team, but there should be expert representatives from each relevant business unit and area. Threat intelligence and the incident response team should work side-by-side to ensure those managing incidents are fully informed.
• Geography: Where firms operate in a number of locations, consideration should be given as to how those relationships will work in practice in the event of an incident.
• Communications: Proper consideration should be given as to how firms’ communications will operate in the event of an incident to ensure the correct individuals are involved at the outset and potential harm is mitigated.
• Training: Staff must be properly trained and, in certain areas, tested and any lessons learned from incidents must be factored into the response plan.
• Cost: The possible costs of an incident should be considered, as well as whether cyber insurance is required.

UK enforcement and lessons learnt

A number of cyber-attacks have attracted regulatory attention in recent years. Following a cyber-attack in 2016, in 2018 Tesco Personal Finance plc (Tesco Bank), a wholly owned subsidiary of Tesco plc, was fined £16.4m by the FCA for failing to exercise due skill, care and diligence in connection with the attack in breach of Principle 2. The incident impacted over 8,000 of Tesco Bank’s personal current accounts, with the attackers pocketing some £2.26 million. Firms can draw a number of lessons from the case, not only in relation to measures that can be taken to minimise exposure to an attack, but also in terms of optimising the response to one.

Key findings of the FCA included that Tesco Bank did not respond to the cyber-attack with sufficient “rigour, skill and urgency”. The case highlights the importance of:

(i) Running-through your crisis management procedures in a number of different scenarios – Tesco Bank staff sent emails to an inbox that was not manned over the weekend when the attack occurred instead of calling an on-call fraud strategy analyst;

(ii) Making sure your procedures are up to date – the Tesco Bank incident management rota had the wrong telephone number for the on-call business incident manager; and

(iii) Ensuring your training materials regarding crisis management are clear, consolidated and easy to follow, having well documented procedures alone is not enough – the Tesco Bank  materials were found to be unclear in relation to the stage at which crisis management should be invoked.

The FCA found that Tesco Bank could have ended the attack much earlier than it did. In terms of the fine, the FCA weighted the seriousness of the misconduct by reference to three periods (two before and one after the attack struck) and considered the most serious to be the period in which Tesco Bank sought to respond to the attack itself, which accounted for 45 per cent of the penalty.

In relation to the period prior to the attack, the case illustrates the importance of taking heed of industry warnings about risks and making sure that these risks are properly mapped across the business. Tesco Bank had been warned by Visa and others about exactly the type of transactions that made up the cyber-attack. In response to these warnings, Tesco Bank made changes to its credit, but not its debit cards, which left it vulnerable to the attackers. The bank had also experienced the same type of fraudulent transactions on both its credit cards and debit cards well before the attack.

In the longer term, following an immediate response to an attack, the case also demonstrates the importance of learning lessons from such events and taking remedial action. The bank was given credit by the FCA for the proactive remediation steps it took following the attack, including commissioning: (a) a third-party review following the attack; (b) a root cause analysis of the weaknesses that made Tesco Bank vulnerable to the attack; and (c) an evaluation of its financial crime controls, all of which were provided to the FCA with any privilege waived. Tesco Bank also put in place a comprehensive redress programme and provided high levels of senior level cooperation to the FCA. All of this contributed to a 30 per cent mitigation discount to Tesco Bank’s fine.

It is worth nothing that when cyber-attacks do happen, firms can face exposure to numerous regulators. For example, where there has been a personal data breach (which was not the case in Tesco Bank), the Information Commissioner’s Office (ICO) may become involved. The FCA and ICO have a Memorandum of Understanding in place which includes provisions in relation to the coordination of investigations. Under the Data Protection Act 2018, which incorporates the EU General Data Protection Regulation into law, fines are up to a maximum of €20 million or 4 per cent of a company's global annual turnover, whichever is higher. The Financial Ombudsman Service has also taken on cases in relation to cyber incidents in the past.

EU developments

In December 2019, the European Commission (Commission) launched a public consultation on a digital operational resilience framework for financial services. The consultation, which was published in parallel with a separate consultation on crypto assets, comes as the Commission is working towards a new Digital Finance Strategy. The aim of the strategy is to promote digital finance in the EU while regulating the risks stemming from it in an adequate manner. The consultation closed on March 18, 2020.

The Commission is of the view that, although the EU has already worked on horizontal policies setting cybersecurity standards for the economy as a whole, the increased risks facing the financial sector warrant the EU to develop more specific and more advanced actions that go beyond the horizontal framework. Currently, financial services regulation already includes a number of provisions regulating information and communications technology (ICT) and security risks, but the Commission considers that these are fragmented in terms of scope, granularity and specificity. In order to make the framework work more efficiently and effectively, the Commission thinks that it is essential that financial supervisors work in a harmonised and convergent framework across Member States and different parts of the financial sector. In the light of this, the Commission is looking for stakeholder views on the following:

• Targeted improvements of ICT and security risk management requirements across EU financial services legislation in order to reinforce the level of digital operational resilience of all main financial sectors regulated by EU financial services law.
• The harmonisation of ICT incidents reporting through the clarification and complementation of these rules with provisions that facilitate a better monitoring and analysis of ICT and security-related risks.
• The development of a digital operational resilience testing framework across all financial sectors, which would anticipate threats and improve the digital operational readiness of financial actors and supervisory authorities.
• Rules creating a better oversight of certain critical third-party ICT providers on which financial institutions rely and outsource functions to.
• Arrangements promoting effective information sharing on ICT and security threats among financial market participants and promoting increased cooperation among public authorities.

In terms of next steps, in a speech from the Commission in June¹⁵ Executive Vice-President Valdis Dombrovskis indicated that the Commission intends to:

• Adopt a legislative proposal on digital operational resilience in early autumn 2020.
• Create a financial oversight mechanism for third-party ICT providers, such as cloud services.
• Consider rules to deal with concentration risks arising from reliance on a small number of external providers. 

International developments

In terms of international regulators, the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions have led the way with their cyber-guidance published some years ago¹⁶ identifying, describing and comparing the range of observed cyber-resilience practices across jurisdictions. The Financial Stability Board (FSB) is also working on aspects of resilience and recovery. Supplementing this work, there are a number of best practice cyber-resilience frameworks available, including ISO27000 and the NIST framework.

In terms of the FSB’s work, its agenda on cybersecurity has evolved along the following lines:

• Enhancing mutual understanding. In 2017, the FSB took stock of financial sector cybersecurity regulations, guidance and supervisory practices. This work catalysed discussions around cybersecurity within the FSB, and it also informed, in the form of a public report, the public debate.
• In 2018 the FSB published a cyber lexicon to support the work of the FSB, standard-setting bodies, authorities and private sector participants to address financial sector cyber-resilience. The lexicon comprises a set of approximately 50 core terms related to cybersecurity and cyber-resilience in the financial sector.
• The FSB is developing effective practices for cyber incident response and recovery. The objective is to identify a set of tools that the private sector and authorities can use in designing incident response and recovery policies. In April 2020, the FSB published a consultation report on Effective Practices for Cyber Incident Response and Recovery. In its consultation report the FSB set out a toolkit of effective practices that aims to assist organisations in their cyber incident response and recovery activities. The toolkit lists 46 effective practices, structured across seven components including governance and coordination and communication. The deadline for comments on the consultation report was July 20, 2020. The final toolkit, taking on board the feedback from the consultation, will be sent to the October G20 Finance Ministers and Central Bank Governors meeting and published.

The FSB has also highlighted the significant challenges for international cooperation¹⁷ including confidentiality and commercial sensitivity of information. More generally, the rapid evolution of cyber-threats raises the question as to whether cooperation processes are sufficiently agile to be fully effective, both in terms of speed, and in terms of involvement of relevant stakeholders.

More recently and in relation to operational resilience, the Basel Committee on Banking Supervision published in August a consultative document on proposed ‘Principles for operational resilience’ and updates to its ‘Principles for the sound management of operational risk’. The proposed Principles for operational resilience are organised across seven different principles including resilient ICT which captures cybersecurity. The Basel Committee notes that cyber-threats have spiked, and the potential for operational risk events caused by people, failed processes and systems has increased as a result of greater reliance on virtual working arrangements. The principle dealing with ICT picks up on this point further providing that:

• When facilitating the implementation of wide-scale remote-access, rapid deployment of physical assets and/or significant expansion of bandwidth to support remote user connections and customer data protection, banks should ensure that:
  • Appropriate risk mitigation strategies are developed for potential risks associated with a disruption or compromise of technology systems and applications. Banks should evaluate whether the risks, taken together with these strategies, fall within the bank’s risk appetite and risk tolerance for disruption.
  • Well defined processes for management of remote assets, privileged users and application development are in place; and
  • Regular updates are made to ICT including cybersecurity in order to maintain an appropriate security posture to accommodate remote access as a longer-term option.

The deadline for comments on the Basel Committee consultation document is November 6, 2020.

Risk and compliance considerations

A key seam running through the areas discussed above is the quality of businesses’ governance and also the culture they embody. Risk culture is a critical area of importance to cyber-resilience: organisations of course need to have the right risk frameworks, oversight and escalation mechanisms, and monitoring arrangements in place, but, critically, they also need to operate these with the right “mindset” in order to be successful.

This means thinking beyond standardised risks to properly understand where an individual business could be more open to and less prepared for cyber-attacks, and then prioritising resources and improvements accordingly. It also means firms putting in place robust horizon scanning processes so they can continuously check for emerging risks and factor these into their processes.

The importance of this is only amplified by SM&CR in the UK. Across and beyond the SMF24 function, regulators now have a “bullseye” to hold firms to account, and therefore they must ensure their risk management and culture is appropriate and that they continue to evolve it and factor in lessons learnt to improve their processes over time.

Conclusion

COVID-19 represents a “perfect storm” of increased cybersecurity risks, but also increased regulatory risk as well. A key lesson learnt from enforcement action is that when cyber-attacks do happen, firms can face exposure to numerous regulators. For some time both the FCA and PRA have repeated their messages that cyber-attacks generally exploit processes and people and therefore getting the basics right and training staff in a manner that takes them on a journey to become more security focussed is essential.