28Sep

Nausicaa Delfas, Director of Specialist Supervision at the Financial Conduct Authority (FCA), has warned that even the smallest financial services firms must take the subject of cyber security seriously.

Speaking at the Financial Times Cyber Security Summit, she revealed that the number of ransomware attacks rose by 35% in just one year between 2014 and 2015. The number of cyber-attacks of all types being reported to the FCA by authorised firms is also rising alarmingly, from just five in 2014 to 27 in 2015 and to 75 in 2016 to date.

Ransomware is where a virus or other malware is installed on a victim’s computer, and where the attacker then demands a ransom payment to restore the systems to full operation.

Regarding ransomware attacks, Jake Williams, the founder of cybersecurity firm Rendition Infosec, commented that “these guys are crazy sophisticated,” and Ms Delfas referred to his remarks in her speech.

The FCA continues to work with organisations such as GCHQ, the Government, the Bank of England and the Prudential Regulation Authority to fight cybercrime, but a large proportion of Ms Delfas’ speech was devoted to what the regulator expects authorised firms to do in this area.

According to the FCA director, firms need to take note of the following:

• Firms need to have a ‘security culture’ – everyone from the board to senior management to supervisors and ordinary employees must take the issue of cyber security seriously
• Firms should have ‘good governance’ relating to cyber security – senior management must take responsibility for security in their business function, and boards of directors must challenge management to verify that appropriate arrangements are in place
• Firms must identify what their key assets are, and how they might protect these
• All staff need to be trained to recognise suspicious activity, such as phishing emails
• Staff with access to important data should be security screened
• Firms need to have adequate detection capabilities, so that they know straight away if they have been attacked
• Firms must have effective recovery and response procedures in the form of a detailed business continuity plan, which explains what they will do in the event of a security breach to ensure business operations can continue
• Firms need to test their data security measures on a regular basis
• Significant data breaches must be reported to the FCA, as part of firms’ Principle 11 obligations to disclose to the regulators anything of which they would reasonably expect notice

Ms Delfas concluded by saying that “cyber is a threat that is ever evolving and ever increasing.”

She added a further observation, by saying:

“Most attacks you have read about were caused by basic failings – you can trace the majority back to: poor perimeter defences, unpatched, or end-of-life systems, or just a plain lack of security awareness within an organisation. So we strongly encourage firms to evolve and instil within them a holistic ‘security culture’ – covering not just technology, but people and processes too.

“You can expect to hear more from us on cyber resilience. We will be reaching out to a much wider range of firms than we have to date, and focussing on those in which a successful attack might pose the greatest risk to our objectives. We will be looking closely at the cyber practices of these firms.”

The security breaches at the largest firms, such that at as telecoms company TalkTalk, inevitably attract the greatest publicity, but no firm of any size can afford to neglect this issue, as the consequences of an attack could be serious. For example, even the smallest financial advisory firm may hold the records of several thousand clients.

Any firm unsure as to what they need to do regarding cyber security is advised to seek professional advice.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.