RegulationApr 25 2017

FCA says firms ignoring cyber security basics

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
FCA says firms ignoring cyber security basics

Financial services firms are often not getting the basics right on cyber security, leaving them vulnerable to attacks.

This is the claim made by the Financial Conduct Authority’s chief operating officer Nausicaa Delfas.

In a speech yesterday (24 April), she said many companies falsely believed they getting the basics right when it came to cyber security.

She cited research which showed that 10 vulnerabilities accounted for 85 per cent of successful breaches.

The “vast majority” of these vulnerabilities were well known and had fixes available at the time of the attack, Ms Delfas said.

She said: “Some of these attacks used vulnerabilities for which a fix had been available for over a decade.

“Being rigorous about patch management is key. Tools to enable effective management of vulnerabilities are well established, and yet organisations either don’t use them, or don’t use them effectively.

“If we cannot get the basics right, then what chance is there that we can repel the sophisticated attacker?”

If we cannot get the basics right, then what chance is there that we can repel the sophisticated attacker?Nausicaa Delfas

She added that firms should encourage a “secure culture” so staff members were not just following rules on a “corporate piece of paper” but understood why security was important and how they can achieve it.

Ms Delfas added the FCA has noticed a lack of information sharing outside the systemically important institutions.

This had prompted the regulator to establish a number of Cyber Coordination Groups.

She said: “We are collecting, anonymising and aggregating actual risk data across around 175 firms in each area of the financial sector.

“This will provide us – and firms - with a much better picture about how cyber risk crystallises.

“Are we seeing unique threats in specific parts, such as retail banking, compared to other parts, such as insurance? Or are we seeing the same generic cyber threats threaten all firms?

“We will be seeking to carry this work out over the coming year and will look to share our findings.”

Last week a government report revealed just under half of all British businesses were victim to at least one cyber security breach last year.

The 2017 report, commissioned by the Department for Culture Media and Sport, found that 46 per cent of all businesses discovered at least one cyber security breach in 2016, with the average cost to firms ranging between £1,570 and £19,600.

It pointed out that larger firms tend to incur much more substantial costs from cyber security attacks, which it said could reflect the increased complexity of the breaches, or because they have more sophisticated systems that are harder to repair.

The report, which is part of the government’s National Cyber Security Programme, warned that costs could come from the loss of customers, data or assets, handling customer complaints, and dishing out compensation, fines or legal fees.

The report came after cyber experts warned that improvements to banks’ cyber systems could displace some of the threats onto other sectors, such as financial advice businesses.

Simon Torry, a chartered financial planner with Essex-based SRC Wealth Management, said: "It is something that's definitely on our radar. We are undertaking a review of our data storage at the moment.

"We are doing some due diligence on our service providers. We use cloud storage so we are looking into those to recheck what security they have in place."

damian.fantato@ft.com