With 46% of UK business reporting a cyber attack during 2019/2020 and 32% reporting at least one a week – see the UK Government’s Cyber Security Breaches Survey 2020 – the UK’s Financial Conduct Authority (“FCA”) has issued a timely warning to market participants of increasing cyber security threats in the wake of COVID-19.
Operational resilience remains a key priority for the regulator, with cyber threats posing a significant risk to firms and clients. The FCA’s clear focus on this area (along with other regulators worldwide) means that firms need to stress test their existing frameworks as a priority.
Earlier in the year, the FCA set out its expectations of continued vigilance in a Dear CEO letter to Asset Managers, which identified key risks in the area of AML failures, technological failures or cyber-attacks. Since then, there has been a series of communications, including the 2020/21Business Plan, podcasts and speeches, which focus on the need for firms to review their existing policies and procedures concerning operational resilience.
The FCA’s Cyber Security Groups (which included subsectors in Investment and Fund Management), identified key security risks to firms, including:
- social engineering (using deceptive tactics to obtain otherwise unauthorized access to information)
- credential stuffing (where credentials obtained from a data breach are used to attempt to log in to unrelated services)
- increased use of ransomware
- malicious insider threats posed by current or former employees, contractors or partners, who may misuse access to networks, applications and databases to cause damage and disruption, or erase, modify or steal sensitive data. As firms implement increasingly sophisticated physical and cyber security measures to protect their assets from external threats, recruiting insiders becomes an ever more attractive option for those attempting to gain access.
The FCA emphasized that firms’ cyber security measures must keep pace with technological development, for example, data held in cloud environments should be encrypted and protected by appropriate intrusion detection/prevention controls. Change management controls should ensure multiple levels of approval, from relevant owners. For some cloud environments, inclusion of ‘kill switch’ technology, allowing for immediate disconnection to manage contagion risk, could also be considered as part of a firm’s response solution.
The increased use and proliferation of mobile devices and remote working, which has become the “new normal” since the wide spread of COVID-19, requires firms to shift their focus away from security of office-based systems.
The UK Government’s much maligned slogan “stay alert” is apposite here: firms must stay alert, ensure only they control their systems and thereby save data.
Stay tuned for our next blog post on tips for Preparing For and Responding to a Breach in the area of cyber threats. Contact your usual Proskauer counsel for further advice on risk reducing measures in this area.
* * *
Proskauer’s cross-disciplinary, cross-jurisdictional Coronavirus Response Team is focused on supporting and addressing client concerns. Visit our Coronavirus Resource Center for guidance on risk management measures, practical steps businesses can take and resources to help manage ongoing operations.