Posted on January 25, 2023
Estimated reading time 2 minutes
The notion of firms needing to provide full visibility of all security events, attacks or breaches has been swirling through the regulated financial sector for some time. Exacerbated by massive geopolitical unrest during the aftermath of a global pandemic, the FCA in the UK (and other organisations such as the PRA and NSCS) have accelerated published guidance focussed on operational resilience, with the aim of increasing visibility specifically around cybersecurity.
A global move to standardise reporting of incidents
This does not just apply to the UK. The US Securities and Exchange Commission have also proposed a set of rules and amendments that they hope will bolster the financial sector’s defence against cyberattacks in North America. Their aim is to standardise disclosures of material cybersecurity incidents and improve visibility into a company’s cybersecurity risk management and governance policies to better inform investors. This is a global conversation.
In March of this year, the FCA released guidance specifically related to the current geopolitical landscape saying “You should be ready to report material operational incidents to the FCA in a timely way. During this period [the Russia/Ukraine war], it could be extremely valuable to the FCA and other UK authorities to be notified quickly of developing cyber incidents or outages, so that we can provide specialist expertise and work to minimise harm to consumers, markets, and the wider UK financial sector.”
Operational resilience guidelines
The point to note here is obvious: it is only a request and not a requirement of a regulated firm. It is however another indicator that the FCA is rightly taking cyber threat seriously, ultimately demonstrating how reporting threats will eventually become part of the regulatory requirements for all FCA regulated entities.
New operational resilience guidelines were introduced in March 2022 for some consumer facing entities such as banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, enhanced scope SM&CR firms, and electronic payment firms. These need to be actioned as soon as reasonably practicable, ahead of March 2025. They state as part of their operational resilience requirements that firms are asked to deal with the FCA in an “open and cooperative way”, sharing details if they are subject to a major data loss, unauthorised access to IT systems or loss of control of those systems.
Issues for consideration
Professional financial services firms must manage several internal issues to be well placed to follow the FCA guidance as it develops to encompass firms whose clients include institutional investors, HNWI’s and professional investors. Hybrid working has led to communications sprawl for many firms, meaning policies and procedures have been developed on an ad hoc basis as pivoting on both take up and implementation of new platforms and tools has developed organically. In a cloud-based environment, it is essential to ask the right design questions of your overall IT architecture: what are your overall operational goals? Are roles defined by department, role or responsibility? What are your permissions and controls, layering accessibility using a defined process? Can an identity-based model deliver better controls, using a zero trust model? Your IT strategy should be built based on your regulatory policies and procedures, and it would be reasonable to review the tools that are in place and assess how and where your teams work, what applications your teams need, and whether training is required to use them properly. If your entire team isn’t based in one central location, being aware of shadow IT is also essential as the impact of gathering the information the FCA may require in the event of a security breach will be more complex should your firm have ‘hidden’ channels of communication. Considering how your IT administrator can manage external channels provides the simplest solution so 3rd party data transfer platforms simply cannot be accessed. Once data leaves your network, tracking it for reporting purposes might simply not be an achievable goal.
Do more with less – and create visibility in the process
External events over the last few years means it isn’t unusual for firms to have several different tools that might be able to manage the same outcomes. Make sure the security tools and controls you have in place are working as intended. Simplify your IT architecture by reducing the number of tools you use if you have more than one that can achieve the same outcome. Work towards the expectation that your firm will firstly need to be able to identify a cyber attack in near real time and secondly provide reasonable details of the breach to your regulator. If you don’t have full visibility of your IT, consult with an outsourced partner who can evaluate your current estate and provide guidance on how to streamline your tools but also provide guidance on good practice, ensuring your teams are comfortable with their day-to-day tools and how to use them, negating use of third party communication channels that aren’t monitored by the firm. This is often where security breaches and vulnerabilities are found.