To gain a better understanding of the industry’s resilience, the Financial Conduct Authority surveyed 296 firms during 2017 and 2018 to assess their technology and cyber capabilities. The survey looked at key areas such as governance, delivery of change management, managing third party risks and effective cyber defences. Firms self-assessed their capabilities and the FCA then analysed the responses for each firm and across sectors.
Findings showed that:
- Cyber attacks show no sign of decreasing in volume. They accounted for 18% of the operational incidents reported to the FCA between October 2017 and September 2018.
- Technology outages in the financial services sector are becoming more frequent and publicised. The number of incidents reported to the FCA has increased by 138% in the past year
- Technology continues to evolve rapidly with firms looking to take advantage of this innovation, while sometimes still relying on ageing IT systems.
- Firms identified governance as the area where they have the strongest capability. In both our technology and cyber surveys 90% of firms assessed themselves as having strong governance controls. Firms that are subject to the Senior Managers Regime often reported a clearer structuring of roles and responsibilities and ownership of a cybersecurity strategy.
- However, some larger firms identified a lack of cyber and technology knowledge at board level, which may limit the effectiveness of board challenge. Board and senior management engagement with cyber and technology resilience is critical to improving firms’ wider operational resilience.
- Most firms rank cyber resilience as their top concern. Firms’ responses highlight cyber weaknesses in 3 areas: people, third party management, and protecting their key assets. Nearly 80% of respondents struggle to maintain a view of what information they hold and of their third parties.
- Firms also identified challenges in identifying and managing their high-risk staff and then educating those employees with access to critical systems or sensitive data, who are more likely to be targeted by cyber criminals.
- There is scope for improving information sharing. We are encouraged that many larger firms play active roles in information sharing networks and platforms. However, we are concerned that this does not extend to smaller firms. Many small firms felt they did not have anything relevant to share. This may mean that valuable information is missing from these forums.
- Many firms reported that they have mature IT change management functions. This is unsurprising given the amount of change many firms undertake. However, failed IT changes caused 20% of the operational incidents reported to the FCA between October 2017 and September 2018.
- Firms also describe challenges in managing their third parties. Third party issues, such as an IT failure at an important supplier, accounted for 15% of the operational incidents reported to the FCA (the second highest root cause). This demonstrates how increasingly important third parties are to firms and their customers, and the need to manage them effectively to prevent disruption.
- Across all firms’ cyber resilience responses, retail banks and non-bank payments firms self-assessed as having the most mature capabilities across almost all areas. This may, in part, reflect that firms in these sectors are more regular targets for cyber-attacks. This provides them with experience and relevant intelligence, but also highlights the need for heightened capabilities among these firms. Their relatively stronger self-assessed scores are not grounds for complacency. These firms often have relatively complex IT estates, which inherently increases vulnerability to attack.