The majority of financial firms rank cyber-resilience as their top concern, with people, visibility and third-party risk key challenges, according to the Financial Conduct Authority (FCA).
The UK regulator’s latest report, Cyber and Technology Resilience: Themes from cross-sector survey 2017 – 2018, is based on interviews with nearly 300 firms over the past 24 months.
The number of technology outages reported to the FCA over the past year increased 138%, with cyber-attacks accounting for 18% of operational incidents.
The report revealed that nearly 80% of respondents have problems understanding what information they hold and gaining visibility into third parties. Third-party failures accounted for 15% of operational incidents.
Identifying and managing high-risk staff and then educating employees with access to critical systems/sensitive data was another key concern.
FCA executive director of supervision, Megan Butler, said it is a worry that many firms still seem to be struggling with the cybersecurity basics.
“A third of firms do not perform regular cyber assessments. Most know where their data is. But describe it as a challenge to maintain that picture. Nearly half of firms do not upgrade or retire old IT systems in time. Only 56% say they can measure the effectiveness of their information asset controls,” she said.
“Only the largest firms have automated their detection systems to spot potential cyber-attacks. Smaller firms are generally relying on old school, manual processes - or no processes at all. A problem if you need to respond to a fast-moving incident like a WannaCry or NotPeya attack.”
The most mature organizations are in non-bank payments, retail banking, and wholesale banking while those at the other end of the cybersecurity scale are in wholesale markets, retail investments, and retail lending.
However, the FCA warned financial sector firms of their commitment to transparency, claiming there’s evidence of under-reporting. It is in discussion with companies over 186 cases where the root cause of a cyber incident still hasn’t been revealed.
Butler urged firms to improve awareness programs as a matter of priority.
“At the moment, a lot of firms — 90% in fact — tell us that they operate a cyber awareness program. But a theme of today’s report is that businesses are struggling to identify and manage high risk staff, including those who deal with critical and sensitive data,” she said.
“By creating a positive security culture you can build a truly resilient business. You can use the eyes and ears of your firm to react and respond to threats quickly and accurately and hopefully deal with issues before they ever become an incident. Recognizing this success then helps to build and reinforce that secure culture.”
The FCA bared its regulatory teeth most recently by fining Tesco Bank over £16m for failings which led to hackers stealing millions from its customers in 2016.