There is ‘a material under reporting of successful cyber attacks in the financial sector’, according to the UK financial services regulator, the FCA. Megan Butler, Director of Supervision – Investment, Wholesale and Specialists at the FCA told an ICI conference in London on December 5: “Certainly the number of breaches relayed back to us looks modest when you set it against the number of attacks on the industry.
“We do not wish to get in the way of firms’ efforts to resolve issues for their customers and the market, and we are sympathetic to the need to respond appropriately to each incident. But we expect to know when you are attacked. With that in mind, let me speak very clearly to firms operating in our capital markets about their reporting responsibilities.
“We absolutely expect all businesses to deal with us in an open, transparent manner. And this is an expectation that includes reporting of material cyber events. The FCA works closely with the Treasury and Bank of England in our capacity as a first responder to cyber-attacks.
“It is therefore essential we know about breaches in real time – as much as anything so we can support firms as they respond to an attack. If you aren’t sure if you need to tell us about an incident, please tell us anyway. We will let you know if we need to refine reporting requirements.
“Finally, and if it isn’t already obvious, I should say that we expect firms to put in place the essentials of good cyber security. We issued an infographic aimed at smaller organisations in June – spelling out the fundamentals of effective cyber security practice. But its messages are basically applicable to all firms.”
Earlier in her speech, she stressed the need for ‘multi-national, multi-agency co-ordination’ against cyber threats. While the regulator was realistic about the fact some cyber-attacks will succeed, it did expect candour from firms, she said. She offered some advice; know your information assets, though she admitted most businesses hold so much data, ‘it can be difficult, frankly, to classify and understand what you hold’. “Second, manage the risk. So implement appropriate governance and make sure you have clear accountability across the three lines of defence. Thirdly, how do you respond to an incident? Can you (or even should you) continue to operate during a cyber-attack?” The General Data Protection Regulation presents a further challenge to firms, she admitted. And on Brexit, she spoke of how ‘we need to preserve close regulatory and supervisory links with the EU’ for example on MiFID II (the latest EU Markets in Financial Instruments Directive), and cyber risk and money laundering, as ‘cross-border’ issues.
For the speech in full, visit the FCA website.
In a separate speech, about use of artificial intelligence against crime in fintech, Rob Gruppetta, Head of the Financial Crime Department at the FCA, acknowledged that learning system depends on feedback, ‘but banks often complain they get very little information back from the police after filing a suspicious activity report. This lessens their ability to train the machines to spot the cases of most concern.’
Comments
Keiron Dalton, of Aspect Software, is calling for a more open relationship between authorities and banks. Keiron, who is Global Program Senior Director for Aspect Verify, said: “Both financial institutions and the authorities need to work together and be more proactive in protecting their customers’ data and money, and work on the relationships they share as they tackle this growing issue. In the case of the banking industry this is critical, especially as fraudsters tend to follow the channels of adoption, as they are following the money. In January, the first Open Banking standard will go live in the UK to increase competition between banks by leveraging customer data. So, if we can be open to improve business and boost savings for customers, why is the industry not doing the same to improve security for the public’s money?”
The FCA has reported that the number of cyber-attacks has increased from five in 2014 to 49 over the last year. Ransomware is said to be increasing and makes up nearly 17pc of attacks reported to the regulator.
Keiron added: “When a bank finds a cyber-attack threat, it may learn and prevent that specific instance of fraud being successful in future, but it doesn’t share information about the incident with the wider financial community so that they can also learn to prevent similar instances. That needs to change. It should also be imperative for banks to work closely with mobile network operators, as mobile is the main platform of choice for many customers. There needs to be greater synergy, and competitiveness should be put aside for the sake of reducing the financial risk that fraud places on banks’ profitability.
“Banks and telephone companies often have access to the data showing how people use their networks, in particular behaviours and what is considered ‘normal’ or within a predictable pattern for that individual. This will become increasingly important for banks as they adhere to Know Your Customer practices and will reduce the risk of false positives when suspicious behaviour is flagged. By operating together, and using complex fraud detection and multi-factor authentication technology – such as divert detection and location checks to verify the identity of banking customers – the process will be a lot smoother.”
And Sarah Armstrong-Smith, Head Continuity and Resilience at Fujitsu UK and Ireland, said: “No company wants to admit that they have had a security breach, but the truth is that there is a very real possibility that at some point a breach will occur. Hiding it won’t save a reputation, if anything, it will tarnish it more. It’s critical therefore for both banks, and other companies to have a clear and well-rehearsed crisis management plan for an attack, which includes informing regulators and other key stakeholders. Honesty and transparency are key. After all, it is a lack of trust in a company that will harm it most, especially when it comes to financial institutions as the public will ultimately be concerned with how it affects them and their finances.
“Whilst identifying the root cause, and reducing the probability of a further breach after an attack is the number one priority, communications must be fully integrated into the end-to-end crisis management process. In fact, our research found only a third of financial services organisations said they were “very confident” that security could be maintained in the event of an outage, and it’s this type of uncertainty that could be holding organisations back from admitting a breach.
“It is clear that businesses and financial institutions need to ensure their communications are coordinated, consistent, and activated as soon as a breach has been confirmed, as this could be the answer to limiting the reputational, and possibly financial, effects of a successful attack.”
