As online financial services are becoming more popular, financial institutions are facing an increasing number of organised cyber-attacks and multi-channel threats. According to a report published in February 2017, financial technology (FinTech) companies in particular are experiencing an increasing number of cyber-attacks from those taking advantage of alternative lending and payment models as well as exploiting gaps and loopholes in what are predominantly digital systems designed for superfast processing and agile product innovation.

This is according to the latest Cybercrime Report published by ThreatMetrix, a security company that monitors more than 20 billion online transactions worldwide per year.

The growing threat of cyber-criminal activity in the financial sector as a whole was highlighted by the Financial Conduct Authority’s (“FCA“) Director of Specialist Supervision, Nausicaa Delfas in September 2016.

In her speech delivered at the FT Cyber Security Summit, she outlined:

• how the FCA is meeting the challenge posed by cyber risk;
• the FCA’s expectations of financial services firms; and
• the key emerging risk areas. Delfas also acknowledged that “cyber resilience” is a priority matter for the FCA, not least due to the evolving and ever increasing risks and threats – it is understood the FCA received 75 cyber-attack reports in 2016 (up to September) compared to 5 such reports in 2014.

To date the FCA has worked closely with industry given the shared interest and responsibility for cyber security and intends to further that co-operation.

It has engaged both nationally and internationally to ensure a co-ordinated approach to cyber security threats and has conducted resilience exercises with both industry and other regulators – examples include the “Resilient Shield”, a joint endeavour between the US and the UK under which the FCA focussed on the collective response to a transatlantic cyber event, information sharing, incident response handling and public communications.

The FCA intends to repeat such exercises, with the aim of helping both countries enhance their cyber programmes.

Whilst a firm’s cyber security compliance strategy is likely to be bespoke to its own requirements, the FCA expects an organisation to adopt a “security culture”, driven from the board and senior management down to employees and has set out some key principles with which firms ought to adhere:

• good governance: with engagement from the board and senior management;
• identification and protection of key assets: for example through defence testing, staff training and security screening;
• adequate detection capabilities: for example through the use of artificial intelligence to detect network vulnerabilities;
• recovery and response: systems and controls to allow a firm to continue operating and protect essential data in the event of an interruption, for example, through upgrading business continuity plans; and
• information sharing: while a material breach must be reported under Principle 11 of the FCA Handbook, firms are also encouraged to share information with others on the Cyber Information Sharing Partnership in order to identify and tackle patterns of attack.

The key emerging risk areas also identified were:

• ransomware: in particular the risk of self-replicating ransomware which can spread throughout a network;
• data storage/outsourcing: firms adopt the threat profile of cloud based service providers (plus other outsourced services providers), and remain responsible for any data breaches; and
• the skills gap: initiatives such as the government’s FastTrack cyber apprenticeship scheme should be used to help narrow the skills gap.

With the theft of £2.5 million from 9,000 accounts of Tesco’s banking arm in November 2016 and the statistics set out in the latest ThreatMetrix Cybercrime Report, concerns still remain about the methods used by financial services firms to detect and mitigate cyber-attacks.

The FCA speech can be accessed here.