Cyber Security Summit Keynote speaker and Chief Operating Officer of the Financial Conduct Authority, Nausicaa Delfas talked to us about the almost dizzying list of activities the FCA is currently engaged in to defend consumers, the financial services sector and indeed itself from the ever present threat of cybercrime. Having risen in the ranks at the FCA, joining the antecedent Financial Services Authority in 2000, Nausicaa has held a number of senior positions at the FCA, and until last year led on FCA’s approach to IT and cyber resilience in the financial services industry, as well as financial crime, client assets and resolution, prudential regulation and complex cases, across all sectors. Now, internally, as Chief Operating Officer, one of her responsibilities is cyber resilience. For Nausicaa, cyber risks are a key priority for the FCA, and with 56,000 firms from large banks and small financial advisors in their books, the business environments and thus risks are both varied and highly complex. It was paramount that customer’s data and assets were protected and that markets remained uncontaminated by the nefarious activities of cyber criminals.
One activity which has perhaps had the most wide-reaching consequences for the net-resilience of the sector has been to raise the profile of Cyber Security. In conjunction with the UK’s Financial Authorities, the FCA has created specialist teams dedicated to ensuring sector wide cyber-hygiene, and plays an influential role in international committees on cyber resilience, such as CPMI – IOSCO and G7 expert groups. Furthermore, in 2013 the FCA developed the CBEST, a pioneering vulnerability testing framework designed in conjunction with the Council for Registered Ethical Security Testers, the Bank of England and Digital Shadows. The FCA’s work is by no means limited to the Financial Services sector, with information sharing initiatives straddling 175 firms across various sectors all playing an important role in keeping the jewel in the UK’s economic crown safe from amassing cyber threats.
For Nausicaa and her team Cyber Security is by no means a ‘one-size-fits-all’ policy, however the FCA does expect firms to commit a base level of resources; with resources here being understood as technological, financial and human resources. It’s this human element which sits at the heart Nausicaa’s message for the industry: “we’re looking for firms to shift the dial to have a secure, top down driven structure so everyone is sensitised to the importance of Cyber Security and understanding cyber risk, so that they shift to a behavioural trait to understand what they should do.” This message has not fallen on deaf ears, with fake phishing initiatives being implemented across the sector, bolstering front line defence against such recent, pernicious attacks as Wannacry. The notorious ransomware attack demonstrated that cyber preparedness does not stop at prevention, to this end the FCA encourages firms to institute ‘clear and understandable procedures’ for attack or breach response and business recovery which are intelligence led and in line with the latest attack trends. Ransomware attacks also demonstrate the fundamental imperative of basic IT security, from patch management to vulnerability mapping, and here Nausicaa stresses the need for firms to secure basic IT practices as a matter of principle before seeking to rely on modern technological solutions such as cyber-AI. For organisations who depend on third parties for their IT or IT security, the basics are even more important. In such cases the FCA advocates strong relationship management as paramount to successful and secure outsourcing.
Like many challenges facing organisations within the financial services sector, the threat of a cyber-attack is a shared one and as such, for the FCA it is critical that organisations engage in information sharing to build a common base of knowhow and best practice in the face of the ever-growing number and complexity of attacks. Information sharing takes many forms within and outside of the UK’s financial services sector and for Nausicaa the sharing of information can also be divided into ex-ante and ex-post and there are important considerations to be had for both. The FCA urged organisations to share experiences on the things that really work, to question collectively what the threats actually are for particular sectors and whether they are seeing certain trends in certain sectors and not in others. The FCA has published an Infographic to help firms to get the basics right:
Cyber Resilience – https://www.fca.org.uk/firms/cyber-resilience
On the ex-post side, organisations should immediately declare if there has been an incident or an attack, sharing who is affected and how. In addition to the veritable daily, cyber-blitzkrieg faced by global finance, firms also face pressures to embrace innovative and disruptive technologies to keep a competitive edge. The adoption of new technology is not without risk however. In full awareness of the risks posed by emerging technologies such as IoT, in October 2014 the FCA established Project Innovate, a safe haven for the testing of technology which seeks to benefit the industry. Since its inception, Project Innovate has grown to encompass the full spectrum of technological disruption, with dedicated teams supporting both traditional and contemporary services. Despite the inherent vulnerabilities of IT, Nausicaa sees technology as a means for strength in cyber defence, with Artificial Intelligence and Machine Learning set to play a significant role in the future. The FCA’s dynamic approach to Cyber Defence is echoed in its pioneering approach to technology in general, aiding the growth and security of not only the UK’s financial services sector but all those who depend on the services which it provides.
Catch Nausicaa Delfas’ keynote talk, “Organisation Preparedness: Moving Beyond Compliance“ on at the Cyber Security Summit and Expo on the 16th of November at the Business Design Centre.