Inside FCA Podcast: What Does Cyber Security and Resilience Mean for Firms?

FCA cyber security expert Robin Jones discussed what firms can do to protect themselves from cyber-attacks. Key points include the importance of individual responsibility for increased resilience, and the benefits and risks of quantum computing. During this pandemic, cyber security becomes even more important. Below is a summarized version of the podcast and to listen to it in full, click here. 

Q: The last decade has seen more parts of the financial system and delivery services move online. What does that mean for customers and the FCA? 

Over the past 20 years, technology has increased customer access to the financial services. Customers want speed, access and reliability and these expectations have been met quickly.

Technology brings wonderful opportunities, but also brings risks. Cyber criminals will always look to exploit new technology.  

Q: Why is it important for firms to think about this and what exactly do they need to do? 

Technology brings innovation, but firms do not always consider the risks when they build new customer solutions and it can lead to future harm. The main assets cyber criminals seek access to are people’s data and people’s money, resulting in customers not having access to their money when they need it, or potential data loss. While data loss itself may not lead to harm, it could contribute to fraud and further cybercrime. Organizations must build resilience upfront when creating or maintaining technology, rather than it being an afterthought. 

Q: What are some of the vulnerabilities we have right now that might have been different to before? 

The more technology develops, the more complex it becomes. Technology makes the customer experience simple, but behind the customer interface lies very complex technology. When things go wrong systems become more vulnerable to attackers and complexity is an area cyber criminals seek to exploit. Another area of exploitation is people. People design, build, test and use technology and criminals will exploit this and find gaps in it. If people are using technology, they can be tricked into giving up their information. Even the most secure systems are vulnerable to this risk. The more technology allows people to access financial services, the more direct routes criminals have to access customers. 

Q: What can firms do now to stop some of this from happening? 

Firms need to be ‘secure by design’ by thinking about security from day one when they start building a system or solution. 

What are the main implications of these attacks on firms and their customers? 

Criminals look for money or data, which can have an immediate or long-lasting effect on customers. Cyber-attacks undermine trust in the industry and in specific organizations. The FCA publication sector views reveals there has been a 7% increase in technology outages in the year 2018 to 2019. The FCA wants organizations to think about how they would respond to a cyber-attack, if and when one occurs. 

Q: What are some of the things that firms are doing to prevent attacks and associated disruption?

Organizations should consider how well they know their business, what services they provide to their customers and their technology, and how staff and data security processes support that. If firms understand how their business works, it should be easier to understand where it needs to be resilient, and what action to take when something does go wrong. Backup processes and systems are only as secure as the people that use them, whether they are internal people or customers. Things can also go wrong when organizations make changes. Firms should think about how to manage change and ensure change is effective. These are the basics of cyber hygiene and operational resilience. 

Q: What is cyber hygiene? 

Cyber hygiene is about getting the basics right, such as knowing who can access the firm’s systems and data and being aware of changes in access rights resulting from new joiners, leavers or third-party suppliers. Many firms are also slow to patch their software because the complex systems they have built do not lend themselves to an easy upgrade. The FCA has published infographics on good cyber security, which are available here. The National Cyber Security Centre (NCSC) also has vast advice on cyber security, which sets out key information that all firms should be looking at. 

Q: What role does good governance and leadership have when it comes to tackling cyber threats? 

Governance and good leadership are essential in identifying, tackling and responding to cyber threats. Leadership sets the tone in an organization, so firms should establish a culture of good security and cyber awareness. Cyber criminals often seek to gain access to an organization through its staff. Firms should help their staff to identify phishing emails and avoid assigning individual blame when things go wrong. 

Q: Is it possible to create a good security culture and what does it look like?

Firms can prepare staff by sending fake phishing emails to identify which staff require education and support in this area. Firms should also encourage their staff to think carefully about the personal information they publish online, which can all be used by criminals to infiltrate an organization’s cyber security.  

Q: What can smaller firms with fewer resources do to tackle cyber threats? 

Smaller firms should focus on the cyber basics and the NCSC has lots of advice tailored to these organizations. Most small firms will have one or two systems, such as their email system and a storage solution. In general, smaller organizations will have fewer systems to secure, but they should also recognize this is where their vulnerability lies. Many smaller firms have had their emails intercepted or redirected by criminals. If a firm mainly conducts its business by email, this is the place they should focus on being resilient. 

Q: The Bank of England (BoE), the Prudential Regulation Authority (PRA) and the FCA have recently published consultation papers on new requirements to strengthen operational resilience in the financial services sector, and one of the areas of focus is greater resilience of the cloud and other technologies. Why is this important, what was the outcome of the consultation and how might this impact the future of regulation? 

The consultation began from a premise that firms cannot provide a service perfectly all the time. Regulated firms must be prepared for things to go wrong. Firms should consider the potential harm to their customers if they cannot access their money, services, or if their data is lost. Firms should begin by identifying their business services and types of customers, whether retail or market participants, and then establish which of their services are the most important ones from the perspectives of the firm itself, their customers and the regulators. The BoE prioritizes financial stability; the PRA focusses on the safety and soundness of organizations; and the FCA seeks to prevent harm to consumers and the markets. Organizations should prioritize their services and focus on making the most important ones the most resilient. Firms should establish their tolerance for disruption. When firms start testing the resilience of their most important services, they will find gaps in the security, as it would be unrealistic not to. Resilience needs to be discussed at a senior management and board level and cyber resilience is part of the operational resilience agenda. Operational resilience must become a core part of a business model for an organization in this increasingly digital age. 

Q: How will the threats change in the future? 

There will always be threats that relate to people, because people can be vulnerable, and criminals will look for that every time. 

Firms might invest resources securing their laptops, computers and big systems that they use to provide financial services but may forget to spend as much time securing their mobile phones. Mobiles hold huge amounts of sensitive information and are frequently used for corporate purposes. 

In the future there will be increasing risks from ‘quantum computing’. Quantum computing will massively speed up computing power and will infiltrate the security protecting computers, laptops and mobile phones overnight. Once cyber criminals have quantum computing power, they can decrypt the security layers of software systems. Quantum processing will bring organizational benefits by increasing the speed of data processing, but it will also create significant security risk. Nobody knows when this will happen, but organizations must be aware of this impending risk and be prepared.  

Kroll is a division of Duff & Phelps specializing in cyber risk and resilience. Kroll’s cyber experts can help firms to identify and close the gaps in their cyber security, and even offer immediate assistance with a data breach. Please see here for further details. Alternatively, contact your Duff and Phelps compliance contact for an introduction with the Kroll team.