Allen & Overy: Financial Services Investigations Blog. Focusing on the latest trends, risks and developments in financial services investigations.
Earlier this month the Department for Culture, Media and Sport (the DCMS) published its report (the DCMS report) of the second annual Cyber security breaches survey, seeking to highlight the increasing exposure of UK businesses to these risks. The report swiftly follows the release of the UK Financial Conduct Authority’s (the FCA) Business Plan for 2017/18, which for the first time listed Technological Change and Resilience as a cross-sector priority, with combating cyber risks front and centre.
This post highlights some of the more interesting aspects of the report, which surveyed a wide range of business sectors, with a particular focus on what it means for financial institutions.
With great awareness comes great expectation
Despite most businesses having sought information, advice or guidance on cyber security threats at some point over the past year, only 4 per cent mentioned Government or other public sector sources as their point of reference. This was despite 75% of those that did finding the material useful and the Government itself a trusted source.
Financial institutions were however the most likely to have sought information from their regulator (8% did so) and were also more likely than most to have looked to trade associations for guidance (also 8%).
These findings will be welcome news to the FCA, whose focus on cyber security is still in its early stages, as it seeks to combat an increase of cyber attacks “in volume, scale and complexity”. The DCMS report did however quote one investment business which hadn’t just referred to the FCA for help, but had expected it from them, “because they had seen this kind of guidance being issued frequently by the Securities and Exchange Commission in the US.”
“There’s some information that comes through from the FCA,” the small business was quoted as saying, “but I think it’s quite limited in terms of cyber security. As a regulated firm the FCA is always my first port of call … You’d expect it to be more tailored to the financial industry.”
Despite these criticisms, the FCA’s recent Business Plan does appear to be trying to answer these concerns, with the creation of a “dedicated Cyber Specialists team”, who have helped “develop a practical cyber resilience toolkit” as well as being “heavily involved in developing international best practice and guidance”.
A justified high priority
The DCMS report found that senior managers in finance or insurance sectors were much more likely than most other businesses to treat cyber security as a high priority, with 90% of those surveyed doing so. In line with this, board-level responsibility was more common among finance or insurance firms; in 54% of these businesses there are board members with responsibility for cyber security.
Encouragingly, the serious treatment of cyber security appears to have filtered down into these sectors’ core staff, where the cross-workforce culture of being cyber secure is especially strong compared to other industries. 63% of businesses in the finance/insurance sector strongly agreed that their core staff take cyber security seriously in their day-to-day work and 60% said cyber security is a very high priority for their organisation’s directors or senior management, the highest proportion among all sectors.
Treating cyber security as a priority is a stance reflected by the FCA, who warn of a “significant increase in attacks reported by [finance] firms over the past three years”, and emphasise that these attacks directly targeted financial institutions or market infrastructure providers. A continued industry-wide focus on firms’ cyber-resilience and financial crime controls appears therefore to be imperative to maintaining the “the stability and integrity of markets”.
Outsourcing without ousting responsibility
The FCA Business Plan noted that a growing number of firms were “outsourcing processes as their business models adapt to cut costs and try to keep pace with evolving services and systems”, which had implications for the market’s “vulnerability to disruptions and cyber-attacks”.
The DCMS’s report agreed with this, noting that outsourcing of cyber security was more common among finance or insurance (60%) firms than almost any other industry. One small investment firm using outsourced cyber security called for “written guidance to help them review” contracts with outsourced providers independently, as well as guidance on communication and assessment of providers, in order to save costs and get a better “sense of reassurance in their providers”.
To combat the “concerning issue” of outsourcing, the FCA have introduced a new Senior Managers and Certification Regime, which came into effect in March 2016, “to enhance individual accountability at the most senior levels in deposit takers and PRA designated investment firms”. In 2017/18 they intend to analyse further third-party outsourcing of oversight and management, and how firms that undertake this work are implementing the regime.
While an increase in outsourcing of many functions, including cyber security, appears to be inevitable, the FCA appears attuned to this, and they emphasise throughout their business plan that they will work to ensure “suitable governance and oversight of outsourcing arrangements” in the future.
Cyber insurance remains a grey area
Almost two-fifths (38%) of firms across all sectors say they have insurance covering a cyber security breach or attack, according to the DCMS report, although this was flagged as being much more common in finance or insurance sectors (53%). Making a claim however, is a bit more of an unknown; only two respondents in the whole survey said they had made a claim on a policy.
The DCMS report gave the example of one micro-finance advisory business which had made a claim, stating that it had been “longwinded in their view, taking over a year” and was still on-going. The business expected “future insurance premiums to be higher”, and although they expected the policy to pay out, they remained unsure how much they would get back.
In another example, one investment firm said “they had avoided cyber insurance because the impression they had got from various lawyers was that the current crop of available policies failed to cover a range of risks, such as regulator fines or finding alternative office premises”, while another legal firm “felt that the policies they had seen had set unnecessarily stringent standards for businesses to meet before insuring them, and that these varied considerably across policies”.
One of the report’s recommendations was that Government or trade associations play a role in terms of “mandating or lobbying insurers to make cyber insurance policies more consistent. This was both in terms of minimum coverage offered, and also in terms of what the policies demanded from businesses.”
The report noted that finance or insurance firms tend to be more confident in their understanding of insurance coverage than the average business, but this appears an area yet to be scrutinised by the FCA, except at a wider, more general, level.
Technological innovation has transformed the financial industry but institutions, along with the FCA and the Government, are not blind to the heightened threat to cyber-security that accompanies such progress. There is more that the FCA can do, most notably it would appear in the form of readily accessible and tailored guidance, but as a new cross-sector priority under the FCA’s recent Business Plan, the next steps in this continuous game of cat-and-mouse are already being made to help regulate this dynamic, and digitalised, industry from cyber risks.
• A version of this article was originally written for the April 2017 edition of the Allen & Overy Investigations Insight blog.