Robin Jones, head of technology, resilience and cyber specialist supervision at the FCA, stated that The UK deals with more than 10 significant cyber security attacks a weeks, some of which are directed at financial institutions. Mr Jones was speaking at PIMFA’s financial crime conference 2018, at the end of January.
He declined to spell out exactly how many attacks are focused on financial services, but pointed out that all networked organisations are potentially vulnerable and that many hackers go after the simplest openings, such as employees clicking on links in emails, which is why “good cyber hygiene” should be the first line of defence. He said that much of the damage done to the NHS by the WannaCry attack in 2017 could have been prevented if the NHS had followed best practice.
The FCA is keen to see cybersecurity as a board-level topic and understood as a “significant risk”. That is one of the reasons why the Bank of England ran a financial planning contingency exercise in 2017 at which financial institutions could compare their approaches. “One firm stood out and others started to follow suit,” he said. “Response and recovery require thought-out plans in advance.”
Why? Partly because attacks can travel through a system much more quickly than most people realise. Jones said that netpetcher, which was launched in 2017, moved through 10,000 connected systems in a company in 19 minutes. “If you are a firm and have 19 minutes, where would you start?” Jones asked.
What should firms do in the event of an attack?
If firms are attacked, they are required to inform the regulator “promptly” of any material issue. “Promptly,” Jones said in response to a question from “Financial World”, means “as promptly as you know it is happening and can give us something tangible...You don’t need to have a fully worked-out response. I would rather know than wait.” He added that PSD2 regulations talk about a window of four hours for notifying the regulator of a material cyber attack.
"No room for complacency"
The FCA does not have a policy of encouraging firms to test their system with ethical hacking, though the thinks it is “a great idea”. Jones argued that companies that have the right systems in place – which includes staff being part of the protection – should be able to spot abnormal activity on their network but “there is no room for complacency”.
The Global Cyber Alliance, also speaking at the event estimates that the annual global cost of cybercrime will be US$2tn by 2019, up threefold from 2015.