Firms across all business sectors, and of all sizes, must treat the issue of cyber threats very seriously indeed. The Financial Conduct Authority (FCA) surveyed 296 firms from different areas of financial services during 2017 and 2018 and has now published the results.

The survey asked firms to self-assess their capabilities with regard to governance, delivery of change management, managing third party risks and effective cyber defences.

Some of the deficiencies in their systems and controls that firms admitted to included:

  • A lack of knowledge of cyber issues at board and management level, meaning that they may not be able to challenge the effectiveness of arrangements put in place by the IT function. 16% of smaller firms said they had no individual on the Board who had designated responsibility for IT security, and 26% of smaller firms did not have an overall technology strategy that had been approved by the Board
  • Difficulties in identifying which individuals were “high-risk staff”, and in providing adequate education to those employees with access to critical systems or sensitive data. Only 47% of all firms surveyed said that they provided additional cyber training for these high-risk individuals
  • Challenges in managing their third parties. The FCA adds here that third party issues, such as an IT failure at an important supplier, accounted for 15% of the operational incidents reported to the regulator, and that third-party issues were the second most common root cause of these incidents
  • Failure to upgrade or remove end-of-life hardware and software assets within a reasonable timeframe – almost 50% of all firms admitted to some deficiencies in this respect
  • Not sharing information with cyber information sharing platforms
  • Not having automated systems to identify potential cyberattacks

18% of the operational incidents reported to the FCA between October 2017 and September 2018 involved a cyberattack, while reports of technology outages have risen by 138% in the space of 12 months. This illustrates that cyber resilience is becoming increasingly important. All firms are asked to consider the findings of the survey and how these might apply to them.

The FCA also reminds firms that under Principle 11, it expects firms to report major technology outages and cyberattacks to the regulator.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article