@en

We use cookies, if you consent to this use, please continue to browse our site.

Here to help with Regulation and Compliance

Compound Growth

Cyber Resilience for Financial Services Firms

Cyber Resilience Self Assessment for Firms (CQUEST)

25 November 2019

In the last week, together with the PRA, the FCA has published a cyber resilience self assessment questionnaire (CQUEST) for Firms. The questionnaire takes the form of an Excel spreadsheet for firms to complete and return to the FCA.

The nature of this Self Assessment Questionnaire is to help both firms and the regulator to better understand the industry’s cyber resilience capability at a high level to provide a valuable snapshot of a firm’s cyber resilience capability, and highlight areas for further development.

The answers provide a valuable snapshot of a firm’s cyber resilience capability, and highlight areas for further development.

There are a total of 48 multiple-choice questions on the self-assessment form that pose questions to firms such as:

• Does a formally documented cyber security strategy exist and who is it approved by within the organisation?
• Does a formally documented framework (including policies, standards and delivery programme) exist to maintain your security posture and to deliver the cyber security strategy?
• Has a senior executive been appointed who is accountable for the delivery of the cyber security framework within the organisation?
• Are risks to cyber security managed effectively?
• Has the effectiveness of cyber controls been independently assessed against the control objective?
• Do you have a process in place to recover systems and data from an incident?
• Do you have a process in place that incorporates lessons learned from cyber security events and incidents? and
• Have you engaged with critical third parties to understand the risks that exist between both parties, and taken steps to ensure that recovery activities are clearly understood by both parties?

This questionnaire follows on from an article previously published by the FCA back in May 2017 about the risks Cyber poses to all financial services firms reminding firms that they should ‘be aware of the threat’ and ‘able to defend themselves effectively, and respond proportionately to cyber events.’

At that time, the FCA advised that their goal was to help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld.

The FCA advised that firms of all sizes need to develop a ‘security culture’ from the very top (board) down to every employee and that firms should be able to identify and prioritise their information assets such as hardware, software and people.

Each firm should then be able to:

• protect these assets;
• detect breaches;
• respond to and recover from incidents; and
• constantly evolve to meet new threats.

Since then, the FCA has continued to shed light on the risks posed by Cyber threats to firms in Financial Services. In December 2018 they published their Cyber multi-firm review findings into Wholesale Banks and Asset Managers and in March this year, the FCA published a Cyber Security Industry Insights paper.

Cyber Security Insights Paper

The FCA Cyber Security Insights Paper brought together industry insights on cyber resilience.

Since cyber risks pose a threat to consumers and markets, part of the regulator’s role is to help firms become more resilient to cyber-attacks, therefore reducing the frequency and risk of disruption.

Within the Insights Paper, the FCA collated examples shared by firms and set out those they consider to be beneficial for a wider audience which may help those firms not already involved when considering where to prioritise their efforts towards increased cyber resilience.

The FCA advised that the insights into cyber resilience may be particularly relevant for small and medium-sized firms, although of course all firms were encouraged o consider if the sights might be useful to them.

Responsibilities for Firms: Reporting a cyber incident

Firms should remember that under Principle 11 of the FCA Handbook, you must report material cyber incidents.

But what is a material incident? Well, an incident may be material if it:

• results in significant loss of data, or the availability or control of your IT systems
• affects a large number of customers
• results in unauthorised access to, or malicious software present on, your information and communication systems

More information on How to Report a Cyber Incident can be found on the FCA’s focused Cyber Resilience webpage at: https://www.fca.org.uk/firms/cyber-resilience

Read our latest articles, news and views affecting compliance and regulation in the UK Financial Services Industry.