FCA publishes cyber resilience report

FCA has published the results of its survey on tech and cyber resilience, which showed that nearly half of all firms don’t upgrade or retire old IT systems in time, and only just over half say they can measure the effectiveness of their information asset controls. Megan Butler, speaking about the report, said that FCA believes innovation has had a positive impact on UK finance, and is focusing on the management of risks, given the constant increase in tech and cyber incidents. She said the UK regulators recognise there can be no expectation of zero-failure, but rather that they will test resilience by considering how well incidents are managed.

She noted regulatory concerns at the increase in reported incidents.  She said regulators understand the need for regular updates to IT, and that they will sometimes go wrong. But firms seem overly confident about their ability to manage flagship IT change programmes. They are concerned that firms are ignoring dangerous information and that senior management don’t appreciate the levels of risk. There is also the risk caused by the huge amount of outsourcing in IT – and many firms say they don’t understand the response and recovery plans of their third parties. This is exacerbated by severe shortage of skilled CIOs and IT consultants.

She then moved on to illustrate why it is systems and controls that are at fault when technological things go wrong – using the Tesco Bank cyber attack as an example. It exposed its customers to a known cyber risk and then did not manage to fix the problem that resulted until after the attack.  All firms must be aware of and put in place measures to address, the risks they face.