Here to help with Regulation and Compliance
Cyber Resilience for Financial Services Firms
Cyber Resilience Self Assessment for Firms (CQUEST)
25 November 2019
In the last week, together with the PRA, the FCA has published a cyber resilience self assessment questionnaire (CQUEST) for Firms. The questionnaire takes the form of an Excel spreadsheet for firms to complete and return to the FCA.
The nature of this Self Assessment Questionnaire is to help both firms and the regulator to better understand the industry’s cyber resilience capability at a high level to provide a valuable snapshot of a firm’s cyber resilience capability, and highlight areas for further development.
The answers provide a valuable snapshot of a firm’s cyber resilience capability, and highlight areas for further development.
There are a total of 48 multiple-choice questions on the self-assessment form that pose questions to firms such as:
This questionnaire follows on from an article previously published by the FCA back in May 2017 about the risks Cyber poses to all financial services firms reminding firms that they should ‘be aware of the threat’ and ‘able to defend themselves effectively, and respond proportionately to cyber events.’
At that time, the FCA advised that their goal was to help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld.
The FCA advised that firms of all sizes need to develop a ‘security culture’ from the very top (board) down to every employee and that firms should be able to identify and prioritise their information assets such as hardware, software and people.
Each firm should then be able to:
Since then, the FCA has continued to shed light on the risks posed by Cyber threats to firms in Financial Services. In December 2018 they published their Cyber multi-firm review findings into Wholesale Banks and Asset Managers and in March this year, the FCA published a Cyber Security Industry Insights paper.
The FCA Cyber Security Insights Paper brought together industry insights on cyber resilience.
Since cyber risks pose a threat to consumers and markets, part of the regulator’s role is to help firms become more resilient to cyber-attacks, therefore reducing the frequency and risk of disruption.
Within the Insights Paper, the FCA collated examples shared by firms and set out those they consider to be beneficial for a wider audience which may help those firms not already involved when considering where to prioritise their efforts towards increased cyber resilience.
The FCA advised that the insights into cyber resilience may be particularly relevant for small and medium-sized firms, although of course all firms were encouraged o consider if the sights might be useful to them.
Firms should remember that under Principle 11 of the FCA Handbook, you must report material cyber incidents.
But what is a material incident? Well, an incident may be material if it:
More information on How to Report a Cyber Incident can be found on the FCA’s focused Cyber Resilience webpage at: https://www.fca.org.uk/firms/cyber-resilience
Read our latest articles, news and views affecting compliance and regulation in the UK Financial Services Industry.
Please contact our Compliance Support Team for a free no obligation discussion of your regulatory requirements and how our regulatory & compliance consultants can help your business move forward compliantly.
Call by Telephone:
(020) 3813 2890