On 22 September 2016, the FCA published a speech (dated 21 September 2016) by Nausicaa Delfas, FCA Director of Specialist Supervision, on the FCA’s supervisory approach to cyber security in financial services firms.
In her speech, Ms Delfas emphasises that cyber security be a shared interest and responsibility for firms and the FCA.
The FCA intends to deepen that spirit of co-operation. It is working with the UK government and other regulators at a national and international level to ensure a co-ordinated approach to addressing the threats posed in this area.
Regarding its supervisory approach, Ms Delfas explains that, among other things, the FCA’s expectations of firms are that they:
- Have a security culture, driven from the top down. Cyber is not only an IT issue but involves people, processes and technology.
- Practice good governance around cyber security (that is, senior management engagement and responsibility, with the effective challenge at board level).
- Identify their key assets and ensure appropriate protections around them.
- Maintain adequate detection capabilities.
- Put in place recovery and response systems and controls to enable them to carry on in the event of an unforeseen interruption. The FCA has observed that some firms’ current business continuity plans do not work where data are compromised.
- Make timely communication to consumers and markets and notify material breaches to the FCA under Principle 11 of its Principles for Businesses. Firms must also share information with others on the Cyber Information Sharing Partnership (CISP platform) since information sharing is critical to identifying and tackling patterns of attacks.
The key emerging risks the FCA will be focusing on are ransomware, data storage and outsourcing, and the skills gap in cyber.
In future, the FCA will be engaging with a much wider range of firms than previously about cyber resilience. It intends to focus on those firms where a successful attack might pose the greatest risk to the FCA’s objectives.
Loading...