Technology
UK Financial Regulator Fires Cyber-Security Warning
The UK financial sector is still too complacent about cyber-security threats, the FCA has warned.
The financial services sector remains under great threat from
cyber-criminals, and it is worrying that many firms appear overly
confident that they can manage technology changes and stay ahead
of the game, a senior UK regulator has warned.
The Financial
Conduct Authority says that its data shows there will be no
let-up in the volume and severity of cyber-crime threats, and
that banks and other financial services are in the firing
line.
Until October this year, firms reported a 138 per cent increase
in technology outages to the FCA, with 18 per cent of all the
incidents reported being cyber-related.
“The cast list of organisations hit by big data leaks is long and
growing: Cathay Pacific, JP Morgan, British Airways, Yahoo, My
Heritage, Facebook, eBay, Uber and Equifax among them,” Megan
Butler, executive director of supervision – investment, wholesale
and specialists, said in a speech this week
“You’ll notice that financial services aren’t over represented in
that group. And our analysis today suggests this isn’t just luck.
Areas like retail banking, payments, and pensions and retirement
income, in particular, describe themselves in our report as
having effective cyber controls. But it is important to say that
we are seeing some serious vulnerabilities across areas like
identification of key assets, information and detection,” Butler
continued.
She said that the rise in incidents reported to the FCA does not
present a one-dimensional picture of a surge in cyber-attacks and
outages. Firms are reporting incidents more robustly, she said,
although under-reporting remains a problem.
“We are worried that a lot of firms seem overly confident about
their ability to manage flagship IT change programmes and keep
their systems up to date. Both large and smaller businesses
described it as a strength in our questionnaire. Yet this is a
level of confidence that simply isn’t supported by the data we’ve
collected on the ground,” she continued.
Butler said that 20 per cent of the reported incidents over the
last 12 months were explicitly linked to weaknesses in change
management.
“There are two possible explanations for this. The first is that
people are ignoring dangerous or negative information.
Behavioural scientists might describe this as an ‘Ostrich bias’.
The second is that leaders don’t appreciate the level of risk, or
else they overestimate their abilities. An overconfidence bias.
And this overconfidence bias does seem to be particularly
characteristic in financial services,” she said.
The cyber-threats are changing employment patterns in finance,
Butler noted. “Historically, and for most of my career in this
industry, the rock stars of finance were always the alpha
traders. Today, it’s the chief information officers and IT
consultants who are in high demand and short supply. Meaning the
best are difficult to employ and hard to retain. A challenge
reflected by the fact that all the wholesale banks and asset
managers we met after this survey said they were concerned about
a shortage of cyber expertise,” she added.