The Financial Conduct Authority (FCA) has published a report on cyber and technology resilience based on their 2017-2018 survey to assess the firms’ technology and cyber capabilities.
The survey looked at key areas such as governance, delivery of change management, managing third party risks and effective cyber defences. Firms self-assessed their capabilities and the FCA then analysed the responses for each firm and across sectors.
The main takeaways from the Report are:
- Cyber attacks show no sign of decreasing in volume.
- The number of technology outage incidents that has been reported to FCA increased by 138%.
- 90% of the firms assessed themselves as having strong governance control and they identified it as the area where they have the strongest capability. However, some larger firms identified a lack of cyber and technology knowledge at board level, which may limit the effectiveness of board challenge.
- Most firms rank cyber resilience as their top concern and they struggle to maintain a view of what information they hold and of their third parties.
- Many firms reported that they have mature IT change management functions, but failed IT changes caused 20% of the operational incidents reported to the FCA, between October 2017 and September 2018.
- Firms described challenges in managing their third parties. Third party issues, such as an IT failure at an important supplier, accounted for 15% of the operational incidents reported to the FCA (the second highest root cause).
- Across all firms’ cyber resilience responses, retail banks and non-bank payments firms self-assessed as having the most mature capabilities across almost all areas. This may, in part, reflect that firms in these sectors are more regular targets for cyber-attacks. This provides them with experience and relevant intelligence, but also highlights the need for heightened capabilities among these firms.
- In other sectors, including wholesale markets and retail lending, there was a wide range of scores. Some assessed themselves as very mature and others as much weaker. Retail lending and retail investment firms’ survey responses indicate they recognise they have significant room for improvement across both cyber and technology resilience.
All firms should consider the findings and feedback in this report and its relevance to their business. The FCA expects firms to report major technology outages and cyber-attacks and reminds them of their obligation under Principle 11 of the Principles for Businesses.
To read more, please follow this link:
Contact us here
Please Note: This publication is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying the information contained in this publication to specific issues or transactions.
Latest posts by Melissa Lewis (see all)
- UK Export Finance adopts the OECD recommendation on tackling bribery in international business transactions - 18th April 2019
- FCA’s statement on various MiFID obligations and benchmarks regulation in a no-deal Brexit - 17th April 2019
- FCA statement on reporting of derivatives under the UK EMIR regime in a no-deal scenario - 16th April 2019