For firms in the financial sector, cyber regulation is becoming increasingly complex. The UK is in its second generation of cyber security regulations and follows a cross-cutting approach. That makes it difficult to take a comprehensive look at cyber regulations as they are mostly embedded within a broader range of rules.
Key expectations include alignment with the FCA and PRA rulebooks, overall responsibility for cyber security within the Senior Managers and Certification Regime (SMCR), the Bank of England’s CBEST and CQUEST requirements, and breach reporting. Firms need to stay ahead of regulatory expectations, map the path to better cyber resilience, and ensure they allocate sufficient resources to strengthen internal frameworks.
Additionally, developing effective cyber risk reporting processes is key to communicating risks and opportunities to senior executives. This can include everything from developing clear reporting lines for cyber threats to ensuring that the right stakeholders have access to the information they need to make better decisions.
These reporting processes are regularly reviewed and updated to reflect the latest threats and best practices. By building effective cyber risk reporting frameworks, individuals and teams within firms will have a better understanding of cyber risk and resilience.
While reporting cyber risk is not yet a formal requirement, regulators expect firms to report cyber risk in financial statements. In 2023, the FRC published revised guidance on digital security risk disclosure, focusing on how to improve reporting on digital systems, processes and data that affect business continuity, resilience and value creation.
Expectations and guidelines are likely to turn into mandatory risk reporting – having the right frameworks in place will help firms get ahead of the curve.
Use of the latest technology, such as Artificial Intelligence (AI) and Machine Learning (ML) is increasingly common across the financial sector and is more accessible than ever.
Opportunities are aplenty, as are risks – some businesses have already experienced the effects of AI use going wrong:
To support the secure use of AI, the National Cyber Security Centre (NCSC) has published guidelines that aim to support firms through the development of AI systems and ensure that security still is at the centre of implementation. The NCSC has structured their measures into four sections:
Firms need to have an AI policy in place, supported by a robust project plan, to control what information is available and to restrict wider system access. Key considerations include protecting intellectual property, client data or personal information, in line with UK data protection laws and financial regulation.
Having a strong understanding of the products that support cyber resilience is key – whether it's new technology or not. Firms should ask themselves important questions, including: are our products delivering against their remit, are they being used efficiently, are we duplicating services?
Ransomware continues to be a core risk for financial services firms, requiring constant monitoring. Organisations must adopt strong security measures to tackle the problem head-on. It can be introduced through a variety of means, including email attachments, infected software downloads, and malicious websites.
In the first half of 2023 alone, the FCA received 51 cyber incident reports. This is a 10% increase compared to the first half of 2022 and indicates a rising risk of attack. 31% of these attacks were categorised as ransomware, highlighting the opportunity attackers see to infiltrate systems.
AI has only made these attempts more convincing and challenging to detect - attackers can create ransomware that is sophisticated and difficult to recognise. AI can generate convincing content with minimal human intervention.
Firms must remain vigilant and take proactive measures to mitigate the evolving sophistication of cyber attackers, and the ever-evolving forms of ransomware, including the “attack surface”, “entry vectors” and “recovery strategies” if businesses find themselves facing off against a threat actor. Minimum expectations would include implementing robust security measures, conducting regular risk assessments, and training employees on best practices for identifying and responding to ransomware attacks.
Firms will also have to deal with growing numbers of phishing attacks, supply chain attacks, and increasingly sophisticated social engineering attacks, and convincing AI-enabled attacks.
Many financial organisations simply don’t have the resources they need. Typically, only top-tier banks (or financial institutions of a comparable scale) have a dedicated cyber team or a security operations centre (SOC). Smaller and mid-sized organisations tend to outsource these responsibilities to third parties.
While this can be an affordable alternative, it’s important to make sure these providers have the right skill sets, scale and capabilities to deliver the work effectively. Regulators are increasingly scrutinising the quality of first-line, second-line and third-party governance structures. Many financial organisations are questioning the level of skills and resources available to them internally, especially during challenging economic circumstances. In some circumstances, a hybrid first and third-party solution can provide the most efficient and effective risk management solution.
With the limited number of niche service providers working across the financial sector, firms also need to consider concentration risk and the potential impact on operational resilience contingency planning. Recent attacks have focused on credit card printing providers and businesses supplying hard-copy print services to financial organisations.
Even where it is necessary to use these suppliers, regulators have still insisted on the need to conduct detailed due diligence assessments for oversight, data security, regulatory compliance, and contract management. And for financial services firms, there’s also operational resilience to consider, to ensure any third-party failings don’t lead to service outages that could cause economic harm to customers or the wider economy.
There are also core risks around cloud and software-as-a-service (SaaS) security. Providers of these services are constantly changing their security architectures, which can open new vulnerabilities that firms are not aware of. It is risky to rely on static security design models.
UK regulators have set their sights on cyber risks associated with third-party vendors and suppliers. These vendors and supply chains can – often inadvertently - introduce new vulnerabilities into an organisation's network and compromise sensitive data. Additionally, UK firms still need to comply with the Digital Operational Resilience Act (DORA) if they are in the supply chain of FS companies in Europe
Firms must consider cyber resilience from the outset of working with third parties to develop robust policies and procedures for managing these risks. This can include conducting thorough risk assessments of vendors and suppliers, ensuring that contracts contain security requirements, and consistently monitoring these vendors for any signs of suspicious activity.
It’s important to create a strong cyber risk culture that prioritises cyber security and risk management. This can include everything from ensuring that employees understand their role in protecting the organisation from cyber threats to promoting a culture of accountability and transparency.
Creating a robust culture around cyber security requires mapping elements such as board awareness, tone from the top, managing people risk, phishing training, and awareness of social engineering.
A “no blame” environment that encourages staff to speak up if they’ve accidentally opened a suspicious email or clicked on a fake website link can dramatically improve the security posture for not only the business but the entire industry. Firms can help reinforce this culture by regularly communicating the latest threats and best practices to employees, conducting regular security awareness training, and rewarding employees for showing good cybersecurity practices.
As human error plays a big part in cyber risk, firms should implement frameworks that allow cyber professionals to collaborate with and challenge decision-makers.
Additionally, firms must be aware of the potential training gaps that exist within their organisations, particularly with regard to high-risk individuals. Often firms are not aware of who they are and therefore leave considerable gaps in their prevention framework. A lack of training for high-risk individuals leaves firms more vulnerable to cyber threats and susceptible to attacks. It is crucial that firms provide the relevant training and education to all employees relative to their risk profile.
Firms should look to bridge these training gaps to strengthen cyber resilience and culture - the Bank of England provided guidelines in section 5.2 of its 2023 review of the CBEST programme.
Firms must have a comprehensive incident response plan in place, which can regularly be tested to simulate a real-world response to cyber attacks. This includes identifying the key stakeholders who need to be involved in the response, setting up communication protocols, and integrating processes for containing and mitigating the attack.
While preventative controls certainly support cyber resilience, firms need to focus further on strong response and recovery mechanisms. In case of an attack, which processes do firms have that will allow them to bounce back? And are they credible?
The CBEST findings highlight the importance of having a robust framework in place. The lack of monitoring, logging, and detecting malicious activity exposes important business lines to disruption, hindering the ability to contain incidents and remove threat actors from the network.
While some organisations have integrated workflows that support preventative controls and/or detection use cases, as well as comprehensive and rapid response capabilities, many still face key gaps:
Regulators are increasingly scrutinising how the financial services sector prepares for and manages cyber threats, as the impact from attacks and outages is in line with operational resilience.
To mitigate the risks from key 2024 themes, it is important to align with one of the industry standards such as NIST CSF or ISO 27001 or against best practice by applying the National Cyber Security Centre’s (NCSC) top 10 steps to cyber security, or Center for Internet Security (CIS) benchmarks. The NCSC has been pushing their Cyber Assessment Framework (CAF) for operators of essential services - which banking normally falls into.
Choosing a cyber security framework is a difficult decision. There is no one-size-fits-all solution, as the ‘best’ framework depends on factors such as the business goal, risk tolerance, applicable regulatory drivers and contractual obligations. It is important for firms to conduct a thorough assessment of their needs and requirements before selecting a framework. By aligning to the organisation's unique needs, businesses can better protect themselves.
Where firms have accreditations, such as ISO 27001, they often apply to one specific area of the business. To improve cyber resilience and overcome core challenges, firms should apply the lessons from certifications across the organisation. When working with external parties, it’s also important to be transparent about which business units these standards apply to.
A newer version of ISO 27001 has been available since October 2022. The revised standard reflects industry changes, encouraging firms to assess their internal systems and mitigate evolving cyber risks.
Firms won’t be able to certify or recertify against the older version after 30 Apr 2024, so they should act now. Implemented correctly, ISO 27001:2022 certification can significantly reduce cyber risks.
To learn more about key cyber themes, risks, and opportunities for financial services in 2024, contact Manu Sharma and Ankur Aeran.
