Since 2017, the FCA has held cyber coordination groups (CCGs) involving almost 200 firms across different financial sectors. The idea is that these groups allow firms to share information and ideas, and the FCA then publishes the results of these forums for other authorised firms to read, which will hopefully improve their awareness of innovative cyber practices.

Perhaps it is not surprising that the FCA says that, on average, smaller firms assessed themselves as having a lower cyber resilience capability than larger firms. However, there was also a higher degree of variance in the self-assessments of smaller firms, suggesting that some smaller firms are very confident about the controls they have in place, whilst other small firms are not at all confident.

The FCA says that firms should consider the following elements of their cyber-security planning:

  • Governance
  • Identification
  • Protection
  • Detection
  • Situational Awareness
  • Response and Recovery
  • Testing

Governance strategies firms could use include:

  • Putting cyber risk on the executive agenda and not just delegating it to the firm’s IT function
  • Educating the senior management to increase their knowledge of cybersecurity risks
  • Understanding who could target the firm for a cyberattack, and why they might do so, and how they would go about it

Identification strategies might include identifying which business services and assets need to be protected, and how critical they are to the functioning of the wider firm.

Protection strategies might include:

  • Offering ongoing training on cybersecurity, and targeting this so that more comprehensive training is provided to key employees, such as those with access to critical systems
  • Making use of encryption, and as it may not be feasible to encrypt every single piece of data, firms should use risk management principles to decide where to prioritise their efforts
  • Identifying vulnerabilities, weaknesses or flaws in the firm’s systems

Detection strategies might include:

  • Identifying the users with privileged access to critical systems
  • Identifying deviations from the expected patterns of use of critical systems – for example is someone accessing something they wouldn’t normally need to?

Situational awareness strategies might include:

  • Participating in information-sharing forums with other firms
  • Examining issues that have affected other firms following cyber incidents, and assessing the impact were the same to occur at your own firm

Response and recovery strategies might include:

  • Testing the impact on your firm of plausible cyber scenarios
  • Reviewing information captured during a cyber incident to improve your firm’s response and recovery controls
  • Establishing and testing internal communication channels with key decision makers, so that decisions can be made faster should an incident occur

Testing strategies might include:

  • Making use of a variety of different testing methods, such as penetration testing, phishing simulations, vulnerability scanning and red/purple teaming
  • Making it easy for staff to internally report issues such as phishing attempts
  • Ensuring staff are choosing sufficiently robust passwords

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article