Publication
Changes ahead for California employers
California is introducing legal changes that will impact employers statewide.
Global | Publication | August 2020
For some time now financial services firms (firms) have been aware that cyber-resilience is a key area of risk and that it’s not just an IT issue but a regulatory one too. When firms moved the majority of their workforce to remote working to protect them from the COVID-19 pandemic, the risk of a successful cyber-attack increased significantly. In June, the European Commission noted that just after the COVID-19 pandemic began, the use of finance mobile apps in Europe went up by 72 per cent in just one week, due to social distancing and lockdown restrictions. At the same time, cyber-attacks on firms rose by 38 per cent1.
For some time, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have been vocal in their support of firms becoming more resilient to cyber-attacks. The PRA views cyber-attacks in light of its financial stability objective whilst the FCA sees it in light of its consumer protection and market integrity objectives.
In regulatory terms cyber-resilience has become embedded in the wider concept of operational resilience covering different types of operational disruption. Cyber-attacks are, of course, an important element of this concept although the COVID-19 pandemic has illustrated that it is not the only type of disruption that financial institutions face. Significantly, as the figures mentioned above illustrate one form of operational disruption, (COVID-19) can increase the risk of a cyber-attack as criminals seek to take advantage of the difficult circumstances firms find themselves in.
In this briefing note we look at the key FCA and PRA rules underpinning cyber-resilience and what both regulators are looking for from firms. We also look at some of the lessons learned from regulatory intervention where a firm has suffered a cyber-attack. Finally, we cover recent European and international regulatory developments, and risk and compliance considerations.
In the UK, the Senior Managers and Certification Regime (SM&CR) has applied to the banking sector since March 2016 and to dual regulated insurers since December 2018. Under the SM&CR, individuals who perform the ‘Chief Operations’ senior management function (SMF24) are required to have responsibility for managing the internal operations or technology of the firm or of a part of the firm. This includes responsibility for cybersecurity. The SMF24 function can be split among more than one individual, as long as the split is justified and accurately reflects the firm’s organisational structure and provided splitting does not leave any part of the Chief Operating Officer’s responsibilities out.
Since December 2019, the SM&CR has also applied to FCA solo regulated firms2. When implementing the SM&CR for solo regulated firms, the FCA took a different approach than it did for the banking sector on the basis that it wanted the regime to be proportionate and flexible enough to accommodate the different business models and governance structures of firms. In light of this, it created three different types of solo regulated firm for the purposes of the SM&CR and the requirements that apply depend on the firm classification: core firm, limited scope firm and enhanced firm. Only enhanced firms (the larger solo regulated firms) are required to appoint an individual to the SMF24 function. Where a firm does not have an individual performing the SMF24 function, it is down to the firm itself to determine the most appropriate individual who is accountable.
Some of the key FCA principles and rules pertinent to cyber-resilience are:
On the FCA’s website, Principle 11 is further considered in the context of a cyber event. The FCA states that a firm must report material cyber events, this is where a cyber-attack:
In terms of implementing the above rules in the cyber-resilience context, the FCA3 wants all firms to develop a security culture, from the board down to every employee. Firms should be able to identify and prioritise their information assets – hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.
As with other areas covered by FCA rules, further “soft” guidance for firms has come in the form of FCA speeches. For example, Nausicca Delfas’ speech in September 20164 alerted firms that getting ‘cyber-basics’ right were key for the regulator, arguing that those firms properly implementing schemes such as the ‘Cyber Essentials’ or ‘10 steps to cyber security’ could eliminate about 80 per cent of the cyber-threats they face.
Another piece of soft guidance was provided by the FCA’s Robin Jones in a speech in January 20185. He emphasised that firms need to have an understanding of their key assets and be constantly assessing where they are vulnerable. He also drew attention to the fact that it’s not just about technology, people can often be the weakest link with staff awareness being a vital element of protection. For the FCA, three key lessons from previous incidents were: (i) addressing the basics, (ii) having in place robust contingency plans and (iii) ensuring such plans have a communication plan. In relation to the second item, the best way to mitigate a ransomware attack was to have a back-up: know and agree the organisation’s tolerance for systems or data being unavailable.
Later in 2018 the FCA published ‘Cyber and technology resilience: themes from cross-sector survey 2017/18’. The highlights from this paper included that firms identified governance as the area where they had the strongest capability although in some of the larger firms a lack of cyber and technology knowledge was identified at board level. The weakest areas firms identified included people, third-party management and protecting key assets. The FCA found that a significant number of firms struggled to maintain a view of what information they held and of their third parties. Firms also found challenges in identifying and managing their high-risk staff and then educating those employees with access to critical systems or sensitive data. A third of firms were found not performing regular cyber assessments. Most knew where their data was but described it as a challenge to maintain that picture. Nearly half of firms did not upgrade or retire old IT systems in time. Only 56 per cent said that they could measure the effectiveness of their information asset controls.
On January 9, 2020, the FCA published a statement on its website explaining the implications for operational resilience for firms using outsourcing and other third-party service providers. In terms of outsourcing and data security, the regulator stated that it expected firms to manage the amount of data being stored, processed or transmitted by third-party providers on behalf of the firm, and how critical to operations that data is. This includes how firms configure and monitor their services to reduce security and compliance incidents. The regulator also said that firms should implement an appropriate level of security to protect outsourced data. Where firms outsource to the cloud, they should refer to the FCA’s finalised guidance on the topic6.
The PRA has eight Fundamental Rules that are similar to the FCA’s Principles for Businesses. In particular:
In the cyber-resilience context7, the Fundamental Rules are further supplemented by the Risk Control part of the PRA Rulebook. The rules in this part of the PRA Rulebook cover risk control, risk committee and group arrangements and are derived from the Capital Requirements Directive IV and the Markets in Financial Instruments Directive II. They are supplemented by guidance in the form of a couple of PRA Supervisory Statements including Supervisory Statement 21/15: Internal governance. This particular Supervisory Statement has been updated a number of times and its current incarnation is the update made in April 2017. Among other things the Supervisory Statement mentions that the PRA expects the following matters to be dealt with in a firm’s business continuity policy:
Like the FCA, the PRA (and more widely the Bank of England (BoE)) have produced soft guidance in the form of speeches. For instance in 2014 Andrew Gracie gave a speech8 in which he briefly discussed the broader question of framing regulatory expectations as regards cyber-resilience. He said:
“Detailed prescription is not going to work. As technology, and the threats related to it, evolve, any attempt to etch standards in stone is likely to become outmoded and ineffective. But we will take a systemic, risk-sensitive, intelligence-based view as to what good practice looks like in relation to cyber; and we will take action in the face of inadequate preparation on the part of firms. Just as the threat evolves and adapts, so will our expectations.”
In May 2016 the BoE’s Chief Information Security Officer, Will Brandon, gave a speech9 on cyber-risk noting that the trouble with most cyber-attacks was that they were not exclusively or even mainly technical in nature. Rather, most cyber-attacks exploited people and/or processes by using social engineering: sending emails with tempting but malicious links or attachments, etc. In doing so, the culture, training and integrity of staff were exploited. Other key points in the speech included that cyber is, to a greater extent, a leadership and management issue. Leadership needs to be applied from the top, not just from the IT department.
A further BoE speech in 201710 from Charlotte Gerken touched on cyber-resilience, noting that a cyber-attack had a number of features that made it different from other threats to banks’ operational resilience:
A BoE speech in 2018 from Lyndon Nelson11 noted, among other things, that a cyber-threat requires firms to understand themselves, their strengths and their weaknesses. It becomes essential for them to understand their most critical assets and their most critical functions. In terms of what defines critical, the speech mentioned several things including: the importance to the customer; the importance to the integrity of the institution; and the importance to the sector and the wider economy.
A further speech by Lyndon Nelson in 201812 took stock of global cybersecurity regulatory initiatives. In particular, the speech noted that supervisory assessments across the globe highlighted recurring and prevalent weaknesses, four of which were:
In July 2018, the PRA and FCA co-published a discussion paper on operational resilience, which they followed up with a consultation paper on the same topic in December 201913. In the consultation paper the UK regulators defined operational resilience as the ability of firms to prevent, adapt, respond to, recover and learn from operational disruptions such as a cyber-attack. The consultation paper set out proposals to change how firms approach their operational resilience, in summary it proposed that firms:
In March 2020, it was announced that the consultation deadline would be extended to October 1, 2020. It is currently planned that firms will not need to meet the requirements resulting from the consultation before the end of 2021. While operational resilience remains a top supervisory priority, the extension is intended to alleviate the burden on firms in the wake of the COVID-19 pandemic. However, many firms will have implemented the proposals before the deadline as part of their pandemic response.
For those banks and financial market infrastructures that are considered to be core to the UK financial system, the UK authorities launched in May 2014 a voluntary programme called ‘CBEST’. The origins of CBEST can be found in a Financial Policy Committee recommendation in 2013 requesting that HM Treasury and the UK regulators work together with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber-attack. A CBEST implementation guide has been developed by the BoE Sector Cyber Team for the benefit of CBEST participants and service providers. It explains the key phases, activities, deliverables and interactions involved in a CBEST assessment. Other CBEST publications include a services assessment guide and a guide on understanding cyber-threat intelligence operations.
For situations where the UK regulators want to assess, at a high level, a firm’s cyber-resilience capability, the PRA and FCA have created a questionnaire. CQUEST consists of multiple-choice questions covering all aspects of cyber-resilience, such as:
The answers provide a useful snapshot of a firm’s cyber-resilience capability, and highlight areas for further development.
On September 27, 2019, the BoE published a webpage containing the high-level findings of its cyber-simulation exercise (SIMEX18) held in November 2018. The purpose of SIMEX18 was to exercise participants from 29 of the most systemically important firms and financial market infrastructures, who during the exercise responded to a cyber-attack scenario targeting the financial sector.
The BoE’s observations from SIMEX18 included that:
In 2017, the FCA established cyber co-ordination groups which meet every quarter and allow firms to share knowledge of their common experiences and discuss best practices in their approach to cybersecurity. Each cyber co-ordination group represents a specific sub-sector. In 2019, these sub-sector groups came from: insurance, fund management, investment management, retail banking, retail investments and lending, brokers and principal trading firms, and trading venues and benchmark administrators. Firm participation has grown from 175 in 2018, to over 185 firms in 2019.
In March 2019, the FCA published an industry insights paper on cybersecurity. Whilst not FCA guidance, the paper sets out cyber practices and experiences of firms that have participated in the cyber coordination groups and is intended to be particularly helpful for small- and medium-sized firms. In terms of identifying what firms need to protect, the paper shared the following insights and practices:
Consider what you already know | Use the guidance available on GDPR Security Outcomes14 to create and maintain a list of information assets. This includes how business services and processes use them. |
Consider assets from multiple perspectives and draw in data from many sources. It might include combining the output of information asset management, system asset management and business services. Firms should also use change management records, vulnerability scans, anti-virus management consoles and other sources. |
|
Understand who you work with |
Ask the finance department for a complete list of suppliers. |
Understand the connectivity between and the dependency on partners. Adopting the view that you only need to be concerned with suppliers’ limits the ability to think wider about third-party risk. |
|
Have a whole business understanding |
Use information captured from business impact analysis to build a picture of which business services need to be protected and how critical they are. |
Stay plugged into new business initiatives so that you can judge how cyber will need to adapt to the business in the future. |
|
In March 2020, the FCA published a web page summarising the latest discussions from the cyber co-ordination groups. Whilst the information on the FCA web page is not FCA guidance, it is useful. For example in relation to malicious emails, the web page shared, among things, the following insights on treating email addresses as assets:
Tackling malicious emails requires a comprehensive understanding and management of email addresses. This allows further management of the threat to reduce the likelihood that malicious emails will lead to compromise. CCG members shared the following insights and practices:
Treat email addresses as public information. The format of email addresses can be easily guessed and some email addresses can be easily found online. Email addresses should be treated as if they are publicly available information. It is important to account for this in risk assessments and when developing or adapting controls.
Make usernames for other IT systems unique. Avoid using email addresses as usernames. Create unique usernames that are not easily guessable, especially for externally facing systems (that connect to the internet).
Threat actors will often send multiple empty emails to understand which email addresses are actively used and those that are not. Where possible, switch off the standard email response message for non-active/existent email addresses.
Provide additional security for high-risk user groups. Create more complex email addresses for key decision makers and high-risk user groups to reduce the chance of them being successfully targeted. Consider whether high-risk users require the ability to receive emails from outside the organisation, or indeed send to external mailboxes.
Distribution lists are an easy route for a threat actor to target multiple users within an organisation. Consider whether distribution lists can be used from outside of the organisation and whether use of them can be restricted internally.
More recently on July 1, 2020, UK Finance published a paper on managing cyber incidents, designed to assist firms in thinking about their response plans. The paper emphasised the importance of firms being able to action an effective response to a cyber-attack.
Key takeaways included:
A number of cyber-attacks have attracted regulatory attention in recent years. Following a cyber-attack in 2016, in 2018 Tesco Personal Finance plc (Tesco Bank), a wholly owned subsidiary of Tesco plc, was fined £16.4m by the FCA for failing to exercise due skill, care and diligence in connection with the attack in breach of Principle 2. The incident impacted over 8,000 of Tesco Bank’s personal current accounts, with the attackers pocketing some £2.26 million. Firms can draw a number of lessons from the case, not only in relation to measures that can be taken to minimise exposure to an attack, but also in terms of optimising the response to one.
Key findings of the FCA included that Tesco Bank did not respond to the cyber-attack with sufficient “rigour, skill and urgency”. The case highlights the importance of:
(i) Running-through your crisis management procedures in a number of different scenarios – Tesco Bank staff sent emails to an inbox that was not manned over the weekend when the attack occurred instead of calling an on-call fraud strategy analyst;
(ii) Making sure your procedures are up to date – the Tesco Bank incident management rota had the wrong telephone number for the on-call business incident manager; and
(iii) Ensuring your training materials regarding crisis management are clear, consolidated and easy to follow, having well documented procedures alone is not enough – the Tesco Bank materials were found to be unclear in relation to the stage at which crisis management should be invoked.
The FCA found that Tesco Bank could have ended the attack much earlier than it did. In terms of the fine, the FCA weighted the seriousness of the misconduct by reference to three periods (two before and one after the attack struck) and considered the most serious to be the period in which Tesco Bank sought to respond to the attack itself, which accounted for 45 per cent of the penalty.
In relation to the period prior to the attack, the case illustrates the importance of taking heed of industry warnings about risks and making sure that these risks are properly mapped across the business. Tesco Bank had been warned by Visa and others about exactly the type of transactions that made up the cyber-attack. In response to these warnings, Tesco Bank made changes to its credit, but not its debit cards, which left it vulnerable to the attackers. The bank had also experienced the same type of fraudulent transactions on both its credit cards and debit cards well before the attack.
In the longer term, following an immediate response to an attack, the case also demonstrates the importance of learning lessons from such events and taking remedial action. The bank was given credit by the FCA for the proactive remediation steps it took following the attack, including commissioning: (a) a third-party review following the attack; (b) a root cause analysis of the weaknesses that made Tesco Bank vulnerable to the attack; and (c) an evaluation of its financial crime controls, all of which were provided to the FCA with any privilege waived. Tesco Bank also put in place a comprehensive redress programme and provided high levels of senior level cooperation to the FCA. All of this contributed to a 30 per cent mitigation discount to Tesco Bank’s fine.
It is worth nothing that when cyber-attacks do happen, firms can face exposure to numerous regulators. For example, where there has been a personal data breach (which was not the case in Tesco Bank), the Information Commissioner’s Office (ICO) may become involved. The FCA and ICO have a Memorandum of Understanding in place which includes provisions in relation to the coordination of investigations. Under the Data Protection Act 2018, which incorporates the EU General Data Protection Regulation into law, fines are up to a maximum of €20 million or 4 per cent of a company's global annual turnover, whichever is higher. The Financial Ombudsman Service has also taken on cases in relation to cyber incidents in the past.
In December 2019, the European Commission (Commission) launched a public consultation on a digital operational resilience framework for financial services. The consultation, which was published in parallel with a separate consultation on crypto assets, comes as the Commission is working towards a new Digital Finance Strategy. The aim of the strategy is to promote digital finance in the EU while regulating the risks stemming from it in an adequate manner. The consultation closed on March 18, 2020.
The Commission is of the view that, although the EU has already worked on horizontal policies setting cybersecurity standards for the economy as a whole, the increased risks facing the financial sector warrant the EU to develop more specific and more advanced actions that go beyond the horizontal framework. Currently, financial services regulation already includes a number of provisions regulating information and communications technology (ICT) and security risks, but the Commission considers that these are fragmented in terms of scope, granularity and specificity. In order to make the framework work more efficiently and effectively, the Commission thinks that it is essential that financial supervisors work in a harmonised and convergent framework across Member States and different parts of the financial sector. In the light of this, the Commission is looking for stakeholder views on the following:
In terms of next steps, in a speech from the Commission in June15 Executive Vice-President Valdis Dombrovskis indicated that the Commission intends to:
In terms of international regulators, the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions have led the way with their cyber-guidance published some years ago16 identifying, describing and comparing the range of observed cyber-resilience practices across jurisdictions. The Financial Stability Board (FSB) is also working on aspects of resilience and recovery. Supplementing this work, there are a number of best practice cyber-resilience frameworks available, including ISO27000 and the NIST framework.
In terms of the FSB’s work, its agenda on cybersecurity has evolved along the following lines:
The FSB has also highlighted the significant challenges for international cooperation17 including confidentiality and commercial sensitivity of information. More generally, the rapid evolution of cyber-threats raises the question as to whether cooperation processes are sufficiently agile to be fully effective, both in terms of speed, and in terms of involvement of relevant stakeholders.
More recently and in relation to operational resilience, the Basel Committee on Banking Supervision published in August a consultative document on proposed ‘Principles for operational resilience’ and updates to its ‘Principles for the sound management of operational risk’. The proposed Principles for operational resilience are organised across seven different principles including resilient ICT which captures cybersecurity. The Basel Committee notes that cyber-threats have spiked, and the potential for operational risk events caused by people, failed processes and systems has increased as a result of greater reliance on virtual working arrangements. The principle dealing with ICT picks up on this point further providing that:
The deadline for comments on the Basel Committee consultation document is November 6, 2020.
A key seam running through the areas discussed above is the quality of businesses’ governance and also the culture they embody. Risk culture is a critical area of importance to cyber-resilience: organisations of course need to have the right risk frameworks, oversight and escalation mechanisms, and monitoring arrangements in place, but, critically, they also need to operate these with the right “mindset” in order to be successful.
This means thinking beyond standardised risks to properly understand where an individual business could be more open to and less prepared for cyber-attacks, and then prioritising resources and improvements accordingly. It also means firms putting in place robust horizon scanning processes so they can continuously check for emerging risks and factor these into their processes.
The importance of this is only amplified by SM&CR in the UK. Across and beyond the SMF24 function, regulators now have a “bullseye” to hold firms to account, and therefore they must ensure their risk management and culture is appropriate and that they continue to evolve it and factor in lessons learnt to improve their processes over time.
COVID-19 represents a “perfect storm” of increased cybersecurity risks, but also increased regulatory risk as well. A key lesson learnt from enforcement action is that when cyber-attacks do happen, firms can face exposure to numerous regulators. For some time both the FCA and PRA have repeated their messages that cyber-attacks generally exploit processes and people and therefore getting the basics right and training staff in a manner that takes them on a journey to become more security focussed is essential.
See speech by Executive Vice-President Valdis Dombrovskis at the Digital Finance Outreach 2020, June 23, 2020)
On December 7, 2020 benchmark administrators that carry out no other regulated activities will come into scope.
And the PRA
Expect the unexpected – cyber security – 2017 and beyond. Speech by Nausicaa Delfas on April 24, 2017
Building cyber resilience. Speech by Robin Jones on January 26, 2018
Consultation Paper 19/32: Building operational resilience: impact tolerances for important business services
FCA Finalised Guidance 16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services
And more generally the operational resilience context
Managing cyber risk – the global banking perspective. Speech by Andrew Gracie on June 10, 2014
Remarks to the City Week conference. Speech by Will Brandon on May 10, 2016
The Bank of England’s approach to operational resilience. Speech by Charlotte Gerken on June 13, 2017
Resilience and continuity in an interconnected and changing world. Speech by Lyndon Nelson on June 13, 2018
Stock-take of global cyber security regulatory initiatives. Speech by Lyndon Nelson on December 5, 2018
This guidance describes a set of technical security outcomes that are considered to represent appropriate measures under the General Data Protection Regulation. It has been developed jointly between the Information Commissioners Office and the National Cyber Security Centre
See speech by Executive Vice-President Valdis Dombrovskis at the Digital Finance Outreach 2020, June 23, 2020)
For example the CPMI guidance on cyber resilience for financial market infrastructures, 2016 and the Basel Committee on Banking Supervision report ‘Cyber Resilience: Range of Practices’, 2019
Cybersecurity: Finding responses to global threats. Speech by Dietrich Domansk on May 10, 2019
Publication
California is introducing legal changes that will impact employers statewide.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023