Findings from the FCA’s cyber and technology resilience survey

During 2017 and 2018 the FCA surveyed 296 firms to assess their technology and cyber capabilities, particularly around governance, change management, managing third party risks and cyber defences.

The survey highlighted:

• Governance: Firms reported that they have the most mature capabilities in this area, across both technology and cyber resilience. However, there are a number of areas where improvements could be made, including senior level engagement, challenge and skills.
• Identification of key assets, services and third parties: Most firms surveyed had identified their information assets and critical business functions but did highlight the challenges of maintaining this view.
• Information sharing: The survey highlighted that larger firms are more willing to share information, but they do not necessarily have a defined process. This undermines the ability to seek help in the event of a sector-wide cyber-attack.
• Security culture: 90% of firms confirmed that they had a cyber awareness program. However, many firms highlighted difficulties in identifying staff in high-risk roles, with only 47% providing additional training when they were identified.
• Detecting attacks: Only the largest firms had automated systems to detect potential attacks, with inconsistent capabilities.
• Change management: There are inconsistencies between firm’s self-assessed strengths in this area and the FCA’s analysis of technology outages, as poor change management accounted for 20% of incidents reported to the FCA between October 2017 and September 2018.

The cyber and technology resilience of the UK’s financial services industry

In Megan Butler’s latest speech, the Executive Director of Supervision – Investment, Wholesale and Specialists discussed how resilient the industry is to cyber-attacks and technology outages.

The main focus of her speech was on how firms manage the risks that arise from the increasing use of technology. Between January and October 2018, there was a 138% increase in the number of technology outages reported to the FCA, with 18% being cyber-related. However, the test of a firm’s resilience isn’t in the absence of incidents, it’s how effectively those incidents are managed.

The regulator is concerned that firms do seem overconfident in their ability to manage IT change management programmes and systems maintenance, judging by responses to the FCA’s latest survey.

So, what does the FCA expect firms to do? The main thing is to find a solution that works for the individual firm. In the regulator’s experience, the best prepared firms are those that employ a three lines of defence model. One of the challenges, however, is ensuring the Board and senior managers have the right skills and knowledge to understand the risks posed by the technology used across the firm.

On the subject of cyber-resilience, Ms Butler highlights that there are still vulnerabilities in areas such as the identification of key assets, quality of information and detection of cyber-attacks. This comes down to weaknesses in systems and controls.

FCA publishes further Brexit consultation  

The FCA has published a further consultation on proposals to prepare for the possibility of leaving the EU without an implementation. It covers a number of Handbook and binding technical standards (BTS) amendments that weren’t consulted upon in the October paper, including:

• Further amendments to the Handbook around the Temporary Permission Regime
• Handbook amendments to incorporate the new Credit Rating Agency and Trade Repository regimes
• The FCA’s approach to non-Handbook guidance and Handbook forms.

FCA issues Impact Assessment on EU withdrawal

The Treasury select committee requested to see the FCA’s assessment of the impact of the UK leaving the EU. Now the regulator has responded with an impact assessment paper, which focuses on three key area areas:

• The UK leaving the EU without an agreement on the 29^th March 2019 or after the transitional period that ends in December 2020
• The draft Withdrawal Agreement
• Outline of the political framework of the UK and EU’s relationship

Read our full executive summary here.

FCA will delay launch of Credit Information Market Study

The FCA has announced that it is delaying the launch of its Credit Information Market Study. This is because the regulator has had to prioritise its market study on general insurance pricing. The regulator remains committed to delivering the market study and will publish terms of reference in June 2019.

In its work on assessing creditworthiness in the consumer credit market, the FCA sought industry views on access to, and use of, credit information. This included the timeliness, coverage and accuracy of data provided by credit reference agencies. There is a risk that consumers may experience harm if credit information isn’t shared and maintained effectively. The FCA will explore this risk further and if necessary, explore potential remedies in its market study.

Investment scammer jailed for five years following FCA prosecution

An investment scammer who defrauded investors of nearly £3 million through unauthorised investment schemes has received a five year prison sentence.

The schemes, which were operated between 2008 and 2017, were buoyed by a ‘pack of lies’ that defrauded the scammer’s friends and family. Of the £3 million handed to him, the scammer invested only £8,000, making a loss of £2,450, with £1 million put aside to fuel his own lifestyle.

The ruse was maintained by investors receiving returns upon their request when in reality it was just money from other victims. Correspondence from brokerages and banks was also forged, with pretend email addresses created to keep the illusion going.

The scammer was not FCA authorised and 17 of the 24 investors, who lost around £1.8 million between them, will only get limited compensation from funds restrained by the FCA.