In case we were in any doubt that technology and cybersecurity are high on the FCA's supervisory priorities, publications over the past week serve as a reminder to financial services firms. Last week, the House of Commons Treasury Committee announced that it has launched an inquiry on IT failures and operational resilience in the financial sector. Hot on the heels of this, today the FCA published a report covering cyber and technology resilience. The report builds on the joint Bank of England, PRA and FCA Discussion Paper, published in July 2018 on building the UK financial sector’s operational resilience.
Today's report gives the results of an FCA survey of 296 firms during 2017 and 2018 to assess their technology and cyber capabilities. The survey looked at key areas such as governance, delivery of change management, managing third party risks and effective cyber defences. In the report, the FCA identifies areas of strength and those for improvement across all sectors. The FCA encourages all firms to consider how the findings in the report apply to them. In particular, the FCA indicates that key areas of focus, such as third party management and change management, will be considered in its supervisory plans for 2019.
Alongside the report, the FCA also publishes an infographic to assist firms in knowing how to react to a cyberattack. Firms need to tell the FCA as soon as they know of ‘material’ cyber incidents which affect the firm. The infographic explores the steps firms can take to protect themselves, as well as points to consider when responding and recovering from an attack.
In a speech launching the report and infographic, Megan Butler, Executive Director of Supervision - Investment, Wholesale and Specialist at the FCA, stressed that senior managers need, at Board level, "enough knowledge, in-house capability and high quality MI to question the infallibility of their big (and small) ticket IT change programmes", but it is classic systems and controls failures which often let firms down.
I’ll just say though that I think this is a wider issue than a lack of deep IT knowledge. The culture that Boards create is also fundamental. Are you establishing appropriate tolerances for operational disruption? (A point picked up in last week’s announcement of the Treasury Select Committee enquiry into IT failures in financial services)Are back-up plans in place? Are there response and recovery options? Do your staff and contractors take into account the long-term interests of customers? And do you have appropriate staff training? My point here being that a lot of the time, it isn’t technology at fault when things go wrong. It’s classic systems and control failures