As cyber risk continues to be a complex challenge for the financial sector, in 2017 the FCA brought together over 175 firms to collaborate in groups on cyber security and operational resilience. These Cyber Coordination Groups (“CCGs“) enable firms to share knowledge and discuss best practices when approaching cyber security, to help reduce potential harm to consumers and markets. Each CCG represents a specific sub-sector which, in 2019, covered Insurance, Fund Management, Investment Management, Retail Banking, Retail Investments and Lending, Brokers and Principal Trading firms, and Trading Venues and Benchmark Administrators.
Last year the FCA published CCG insights, which offered an overview of firms’ general cyber hygiene. It has now published insights on topics discussed this year. The insights cover broad cyber risks across a range of sectors, as well as four themes which the CCGs discussed in depth (Cyber Risks, Identity and Access Management, Third Parties and Supply Chain, and Malicious Emails).
The first theme covered, Cyber Risks, addresses high level risks discussed using a ‘Cyber Risk Radar’ which aimed to highlight, and track the severity of, cyber risks that the sectors face. The CCGs focussed on the current threat landscape and evolving threats of interest, as well as emerging and future trends, including new technology and factors challenging security response.
Regarding Identity and Access Management (“IDAM“), the CCG sub-sector groups shared practices and insights for IDAM. This included, but was not limited to, insights on governance and how to review and challenge existing password policies, record keeping and security monitoring and testing.
When discussing third parties and supply chains, CCG members agreed that it is important to ensure that suppliers’ approach to cyber risk fits with an organisation’s approach before engaging with them. Each third party’s profile should be measured and continually assessed to ensure they remain within risk appetite. CCG sub-sector groups shared various practices and insights to help with managing third parties.
Lastly, with regards to malicious emails, CCG members concluded that monitoring and adapting to what they are experiencing will be fundamental to reducing the impact of malicious emails. To assist with this, the CCG sub-sector groups offered various practices and insights for dealing with malicious emails.