Nausicaa Delfas, the Chief Operating Officer at the Financial Conduct Authority (FCA) has highlighted the importance of authorised firms having appropriate cyber security measures in place.

Addressing the Cyber Security Summit and Expo 2017, Ms Delfas began by describing cyber-risk as one of the regulator’s top priorities. She listed some of the main risks as:

  • Markets being disrupted through loss of availability of platforms
  • Sensitive market or customer data being stolen or compromised
  • Loss of access to important banking services

She then linked the issue of cybersecurity to two of the FCA’s operational objectives, saying that if firms are resilient to cyberattacks, then it will help to enhance market integrity and to protect consumers.

Ms Delfas then described the issue as being “beyond compliance”, and added that “it should [instead] be business led.” By this, she means that the issue cannot just be left to a firm’s compliance or IT department to sort out, and that directors and senior managers must be involved in the process.

The FCA COO went on to list a number of questions that firms’ boards should be asking, including:

  • Has the firm identified its critical information and most important data assets? Has it taken steps to quantify the value of this information?
  • Does the firm regularly receive updates showing the threat posed to the firm itself and its critical data assets?
  • Has a risk appetite for the cyber risks been agreed?
  • Would the firm be able to detect a significant cyber breach, and does the firm have the capability to launch an effective and timely response?

She summarised by saying:

“No serious company director can afford to ignore cyber security, because it fundamentally impacts the day-to-day activities of almost every individual and organisation. It is vital that organisations protect themselves, their customers and their supply chains.”

In conclusion, Ms Delfas commented that firms needed to “move towards creating a secure culture where people are naturally alert to security issues and act accordingly.” She added that this would require “a change in behaviour rather than simply sending staff on a training programme.”

The number of cyberattacks reported to the FCA by authorised firms rose from just five in 2014 to 90 in 2016. No one can doubt that cyberattacks are a growing threat.

In addition to the issues mentioned in the latest speech, firms need to ensure that:

  • Sensitive data is protected, e.g. through the use of encryption software
  • Critical systems and data are backed up, and that these back-up systems are tested regularly
  • Staff use strong passwords – using combinations of lower and upper case letters, numbers and special keyboard symbols – when logging on to hardware and software
  • Staff are trained to recognise suspicious activity, such as phishing emails
  • Staff with access to important data are security screened
  • There are effective recovery and response procedures in place, in the form of a detailed business continuity plan, which explains what the firm will do in the event of a security breach to ensure business operations can continue
  • Data security measures are tested on a regular basis
  • Significant data breaches are reported to the FCA, as part of firms’ Principle 11 obligations to disclose to the regulators anything of which they would reasonably expect notice

No firm of any size can afford to neglect this issue, as the consequences of an attack could be serious. For example, even the smallest financial advisory firm may hold the records of several thousand clients.

Research by financial software provider Intelliflo shows that 44% of financial advisers have experienced some form of cyberattack, and that 82% of clients would stop doing business with their adviser if they became aware that the firm had been hacked.

Hence, any firm unsure as to what they need to do regarding cyber security is advised to seek professional advice.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.