13Dec

The issue of cybersecurity and other technological threats is seemingly one that will never go away, and no financial services firm of any size, in any sector, can afford to neglect the issue.

Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the Financial Conduct Authority (FCA), spoke on this issue when she addressed a Bloomberg conference in November 2018.

Her speech began with a warning that, while new technologies bring new opportunities, they also bring new threats. She said this was “a fundamental challenge” for her organisation. Nevertheless, she added that the FCA was harnessing technology, for example it is using new technological tools to detect market abuse, and that Project Innovate is an initiative that encourages firms to develop new technology.

Next, Ms Butler highlighted how technology-related issues are becoming a greater risk within financial services. In the year to October 2018, the number of technology outages reported to the FCA by authorised firms rose by 138% when compared to the previous 12 months. 18% of all the reports concerned cyber incidents. She added that she believed the true extent of the problem was still being under-reported.

However, she did re-assure her audience that the FCA accepts that incidents will sometimes occur, and that firms cannot realistically foresee and prevent all episodes. Here, the FCA director commented:

“The FCA does not expect ‘zero-failure’, a point that is explicitly in July’s FCA and Bank of England paper on operational resilience. In that we talk about setting ‘impact tolerances’ and the ability of firms to ‘recover and learn from operational disruptions.”

However, she did say that “the FCA is deeply concerned that the number of technology incidents reported to us has increased, with many outages linked to re-platforming and outsourcing failures.” Many of these episodes have been high-profile failures involving the major banks. Ms Butler added that “a lot of firms seem overly confident about their ability to manage flagship IT change programmes and keep their systems up to date.”

The next section of the speech included some useful tips on how firms can minimise the chance of technology problems. These included:

  • Use of simulation exercises
  • Comprehensive internal training
  • Engaging external support to complement existing internal IT functions
  • Focusing on the continuity of a firm’s most important business services
  • Putting back-up plans in place should an incident occur
  • Ensuring the directors and senior management are actively involved in technology risk planning, and that the issue is not just left to the IT department
  • Ensuring the long-term interests of customers are protected

In turning to the issue of cyberattacks, Ms Butler added a note of optimism. She listed a number of large firms who have recently fallen victim to significant cyberattacks and noted that there were few financial services firms in her list.

However, she was less positive when she said that it was “a major concern that a lot of firms still seem to be trying to get the basics right on cyber.” In this section of the speech, the FCA director told her audience that:

  • A third of firms do not perform regular cyber assessments
  • Almost half of firms do not upgrade or retire old IT systems in time
  • Only 56% of firms are confident they can measure the effectiveness of their information asset controls

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article