Telephone 020 3813 2890 for a free no obligation chat about your regulatory requirements with one of our compliance consultants.
Registered in England and Wales as limited company number 07626537 - Registered Office 120 Pall Mall, London, SW1Y 5EA
Here to help with Regulation and Compliance
Cyber Crime & Financial Regulation
Financial Regulation & a World of Cyber Crime
19th August 2015
Throughout the course of last year, private businesses, multinationals like Sony and Facebook and various government sectors made the headlines having been targeted by cyber criminals. And, during a speech last summer on ‘The Technology Challenge’, Martin Wheatley -the then Director at the FCA - also informed that the financial markets were no different, with half of the world’s securities exchanges having fought off cyber attacks.
Martin Wheatley’s comments were also echoed in the FT late last year following a colossal cyber attack upon JP Morgan Chase in New York that saw personal information from 76 million households and 7 million businesses compromised.
It is clear that increasing levels of technology and sophistication by online hackers means it is inevitable that occurrences of cyber crime are only set to increase in the future. Thus mitigating and preparing for these risks should therefore be placed high upon the agenda for financial services firms.
The risks posed by unauthorised access or disruption to information systems affect three key areas:
In the same Technology Challenge speech last summer, the City Watchdog also informed that it saw the recommendations from the Bank of England’s Financial Policy Committee (FPC) to the financial sector to improve and test resilience to a cyber-attack as being very important and supported by the UK Regulators (FCA and PRA).
These recommendations have since been revised, with the FPC having identified ‘cyber attack’ amongst the main risks facing the financial system in the United Kingdom.
As such the FPC now recommends the following for financial services firms:
But, what is CBEST testing? CBEST is a new framework for testing cyber security vulnerabilities and has been led by the Bank of England’s FPC having recommended that the UK’s main financial authorities cooperate with key players in the UK’s financial system to establish a programme to enhance and test cyber resilience. The CBEST testing framework not only focuses on the key performance indicators of preventing attacks but also those that improve an organisations’ resilience and ability to recover from an attack.
The Bank of England has been working on targeted methods of improving and assessing cyber security for the UK’s financial services industry since 2013 and in May 2014 the CBEST testing framework was announced to the industry with a public launch following in June 2014.
Since then, the regulators have been identifying and contacting firms they consider to be core to the UK financial system to undertake CBEST testing, so at present, CBEST testing is only required by the chosen few, rather than for all financial services firms.
However, the FPC also noted in their recommendations that it was important that boards of financial firms and infrastructure providers recognised their responsibility for responding to cyber attacks. Therefore, all firms should be addressing threats of cyber attack in their risk management and mitigation measures.
The Financial Conduct Authority has set rigorous standards, with regulated firms having to follow stringent rules and guidelines to ensure that client assets – both financial and intellectual – remain intact.
As a reminder, the FCA’s principles for business include:
For effective governance the boards of regulated firms must treat cyber risk as a core strategic issue and be ready to challenge senior management where resilience and recovery plans are inadequate. In addition it should be noted that the responsibility for cyber resilience and for recovery planning lies with each respective firm’s board as a whole.
So, with the fast-approaching Senior Managers Regime coming into effect, this will provide a framework through which to hold firms’ senior management to account in the area of cyber security risks.
The following provides a few pointers on what your firm should consider now to tackle the threat of cyber security breaches and risk posed by cyber criminals:
“The Technology Challenge”:
“Already, something like half the world’s securities exchanges have fought off cyber attacks. Nine in ten firms have suffered security breaches in the last year. And 70%of chief executives now list it as a key risk to growth.”
[Financial Policy Committee Meeting 24June 2015]
“The financial sector is a main target for cyber criminals, whether they are seeking to make a profit from customer data or confidential information about dealmaking, or are “hacktivists” or nation states wishing to make a political point”
“The FPC recommends that the Bank [of England], the PRA and the FCA work with firms at the core of the UK financial system to ensure that they complete CBEST tests and adopt individual cyber resilience action plans. The Bank, the PRA and the FCA should also establish arrangements for CBEST tests to become one component of regular cyber resilience assessment within the UK financial system.”