Cyber Crime & Financial Regulation

Home About Us
Our Services Sectors
News & Views Contact Us

@en

Telephone 020 3813 2890 for a free no obligation chat about your regulatory requirements with one of our compliance consultants.

Registered in England and Wales as limited company number 07626537 - Registered Office 120 Pall Mall, London, SW1Y 5EA

We use cookies, if you consent to this use, please continue to browse our site.

Here to help with Regulation and Compliance

Compound Growth

Cyber Crime & Financial Regulation

Financial Regulation & a World of Cyber Crime

19th August 2015

Cyber Crime: An Ever-increasing Trend

Throughout the course of last year, private businesses, multinationals like Sony and Facebook and various government sectors made the headlines having been targeted by cyber criminals. And, during a speech last summer on ‘The Technology Challenge’, Martin Wheatley -the then Director at the FCA - also informed that the financial markets were no different, with half of the world’s securities exchanges having fought off cyber attacks.

Martin Wheatley’s comments were also echoed in the FT late last year following a colossal cyber attack upon JP Morgan Chase in New York that saw personal information from 76 million households and 7 million businesses compromised.

It is clear that increasing levels of technology and sophistication by online hackers means it is inevitable that occurrences of cyber crime are only set to increase in the future. Thus mitigating and preparing for these risks should therefore be placed high upon the agenda for financial services firms.

Cyber Threats: What are the Risks?

The risks posed by unauthorised access or disruption to information systems affect three key areas:

Disruption to business operations and services
Data that is commercially sensitive and/or personal may be compromised, stolen, destroyed or published
Reputation: Attacks can severely impact upon a business’ reputation, causing significant public embarrassment and erosion to customer goodwill as well as decreasing a brand’s value or perception.

In the same Technology Challenge speech last summer, the City Watchdog also informed that it saw the recommendations from the Bank of England’s Financial Policy Committee (FPC) to the financial sector to improve and test resilience to a cyber-attack as being very important and supported by the UK Regulators (FCA and PRA).

These recommendations have since been revised, with the FPC having identified ‘cyber attack’ amongst the main risks facing the financial system in the United Kingdom.

As such the FPC now recommends the following for financial services firms:

What is CBEST testing?

But, what is CBEST testing? CBEST is a new framework for testing cyber security vulnerabilities and has been led by the Bank of England’s FPC having recommended that the UK’s main financial authorities cooperate with key players in the UK’s financial system to establish a programme to enhance and test cyber resilience. The CBEST testing framework not only focuses on the key performance indicators of preventing attacks but also those that improve an organisations’ resilience and ability to recover from an attack.

The Bank of England has been working on targeted methods of improving and assessing cyber security for the UK’s financial services industry since 2013 and in May 2014 the CBEST testing framework was announced to the industry with a public launch following in June 2014.

Since then, the regulators have been identifying and contacting firms they consider to be core to the UK financial system to undertake CBEST testing, so at present, CBEST testing is only required by the chosen few, rather than for all financial services firms.

However, the FPC also noted in their recommendations that it was important that boards of financial firms and infrastructure providers recognised their responsibility for responding to cyber attacks. Therefore, all firms should be addressing threats of cyber attack in their risk management and mitigation measures.

UK Regulations

The Financial Conduct Authority has set rigorous standards, with regulated firms having to follow stringent rules and guidelines to ensure that client assets – both financial and intellectual – remain intact.

As a reminder, the FCA’s principles for business include:

PRIN 3: Systems and Controls: a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems
PRIN 11: Open and co-operative dealings; disclose anything the FCA would reasonably expect
A firm must also report matters that could have a “significant adverse impact on the firm’s reputation”

For effective governance the boards of regulated firms must treat cyber risk as a core strategic issue and be ready to challenge senior management where resilience and recovery plans are inadequate. In addition it should be noted that the responsibility for cyber resilience and for recovery planning lies with each respective firm’s board as a whole.

So, with the fast-approaching Senior Managers Regime coming into effect, this will provide a framework through which to hold firms’ senior management to account in the area of cyber security risks.

What you need to do now:

The following provides a few pointers on what your firm should consider now to tackle the threat of cyber security breaches and risk posed by cyber criminals:

Ensure that cyber security and resilience is addressed by the board
Identify your operational, reputational and legal exposure
Establish a cross-functional cyber/data security committee to consider policies, practices and emergency response plans
Review your firm’s data gathering, use, security and retention behaviour
Review your firm’s cyber behaviours – cyber risk may demand more conservative internet use
Review your insurance protection
Implement cyber security best practice, (such as the new UK government-approved Internet Security Management standard based on IS 27000 series).

“The Technology Challenge”:

Cyber Attacks

“Already, something like half the world’s securities exchanges have fought off cyber attacks. Nine in ten firms have suffered security breaches in the last year. And 70%of chief executives now list it as a key risk to growth.”

Martin Wheatley, FCA Director,

10th June 2014.

FPC: The main risks facing the financial system in UK:

the global environment;
the reduction in market liquidity in some markets;
the United Kingdom’s current account deficit;
the housing market in the United Kingdom;
consequences of misconduct in the financial system; and
cyber attack.

[Financial Policy Committee Meeting 24June 2015]

“The financial sector is a main target for cyber criminals, whether they are seeking to make a profit from customer data or confidential information about dealmaking, or are “hacktivists” or nation states wishing to make a political point”

Financial Times 2nd October 2014

“The FPC recommends that the Bank [of England], the PRA and the FCA work with firms at the core of the UK financial system to ensure that they complete CBEST tests and adopt individual cyber resilience action plans. The Bank, the PRA and the FCA should also establish arrangements for CBEST tests to become one component of regular cyber resilience assessment within the UK financial system.”

FPC Record of the Financial Policy Committee Meeting 24June2015