What firms must do to ensure their cyber security and resilience and protect customer data comes from several different branches of regulation. Regulation comes in the form of data protection laws, cyber security regulations as well as sector-specific requirements. Firms are often required to ensure that their technical and organisational processes, including cyber resilience, is appropriate to their risks and mitigates any potential risks which prevent them from keeping data safe and ensuring continuity of services.
Effective Cyber Resilience Practices
UK regulators like the Information Commissioner’s Office (“ICO”) and Financial Conduct Authority (“FCA”) make cyber resilience a key priority and can take enforcement action against firms for failures in their cyber security and data protection systems. But what makes up effective cyber resilience practices?
Know the risks
Identifying and understanding the risks which firms face is key. Firms need to ensure that they identify what information they hold and ensure that they have appropriate reasons for holding and processing data. The higher sensitivity of the information held poses a higher risk if cyber security is breached and therefore the data security put in place should be stronger. Firms must ensure that they keep records of the risks which they identify and how they mitigate and test these within their systems and controls. For example, these should be included within a firm’s risk register and compliance monitoring programme.
Protecting data
Firm should establish and maintain appropriate systems and controls to manage its data security risks. This includes ensuring that personnel only have access to information which is necessary. Firms should use any required firewalls, restricted accesses, encryption, verification and monitoring to ensure the data which they hold is protected and only accessed appropriately by the relevant people.
Disaster recovery
Disaster recovery is vital to operational and cyber resilience. Firms must ensure that they backup critical systems and data, and test backup recovery processes regularly. These plans should be set out in a business/disaster recovery plan which can be accessed in the event of a cyber attack to allow minimal service disruption.
Network and computer security
Firms must also keep the systems, software and apps they use updated and fully patched. Firms should ensure the adequacy of the systems and controls used to protect the processing and security of its information. Firms may wish to consider obtaining accreditations such as ISO/IEC 27002:2022 (Information security, cybersecurity and privacy protection).
User and device credentials
Firms need to ensure that their staff use strong passwords when logging on to hardware and software. It is also common practise to use two-factor authentication especially where users have access to sensitive data.
Staff awareness and training
Staff are central to a firm’s ability to operate securely. Without sufficient training, staff could cause accidental or intentional harm. It’s important for firms to implement a robust and consistent approach to staff training and monitoring.
Regulatory considerations
Currently, there is no singular regulators specifically dedicated to cyber security. Recent enforcement actions undertaken by the FCA and ICO show the emphasis that the regulators place on cyber security.
FCA’s Principles for Businesses
The FCA’s Principles for Businesses sets out the regulator’s expectation for firms to have in place systems and controls intended to manage cyber risk. Failure to establish and uphold these expectations could result in consumer harm and breaches of FCA rules leading to significant regulator enforcement.
Consumer Duty
The Consumer Duty, which came into force on 31st of July 2023, established a new consumer principle (Principle 12 of the Principles for Businesses) which sets out that firms ‘must act to deliver good outcomes for retail clients’. The Consumer Duty came in to set a higher standard of consumer protection by requiring firms to put their customers’ needs first. Cyber security and resilience breaches such as theft of personal data, could be seen as a breach of the Consumer Duty where firms fail to take adequate steps to protect customer data from cyber threats.
UK General Data Protection Regulation
The ICO are responsible for upholding and enforcing key data and information regulations such as the Data Protection Act, UK General Data Protection Regulation (UK GDPR) and Privacy and Electronic Communications Regulations.
The ICO have a wealth of resources to assist firms in understanding their expectations and how firms should ensure the security of their data. A key principle of the UK GDPR is that firms must process personal data securely by means of ‘appropriate technical and organisational measures’. This is known as the ‘security principle’.
Firms must be proactive in managing their cyber risks and need to focus on reducing the risks and minimise the impact if an event does occur. These measures should enable a firm to demonstrate it has implemented appropriate systems and controls to manage risk, in accordance with its regulatory obligations and reduce the risk of consumer harm and regulatory enforcement.
FCA Update 19/12/2023
The FCA, Bank of England (the Bank) and Prudential Regulation Authority (PRA) have published the latest annual CBEST thematic report.
CBEST tests the cyber resilience of firms and financial market infrastructures (FMIs) through live testing that mimics the actions of cyber attackers.
The report, which contains cyber resilience good practice and insight including from the National Cyber Security Centre (NCSC), is being published in full for the first time. It highlights the importance to build strong cyber hygiene and the need for firms to simulate a range of cyber testing scenarios to remain resilient to threats.
Cyber resilience is a top priority for us, the Bank and PRA. Disruptions from cyber-attacks can impact financial stability, cause intolerable harm to consumers or other market participants, or disrupt market confidence.
Firms and FMIs should read the CBEST thematic and consider embedding the findings into their cyber strategies.
Please see the FCA post here.