FCA warns asset management firms have inadequate cyber security
8th February 2019
The Financial Conduct Authority (FCA) has warned that the UK asset management and wholesale banking sectors still suffer from a lack of cyber security expertise and preparedness in the event of a cyber attack.
The FCA, ‘Wholesale banks and asset management cyber multi-firm’ review confirmed that many of the top 20 asset management companies were risking severe harm to their clients and the broader market in which they operate. It also found a lack of understanding of cyber risk at board and management level and confirmed an overreliance on third-party cyber security service providers.
Views from the top 20 firms
While not an in-depth audit, the FCA review does provide a current insight into the state of cyber preparedness of many of the leading financial services firms in the UK. It includes the views of selected individuals working in asset management companies with client assets ranging from below £15 billion to over £500 billion. It also includes wholesale banks from large global groups with full-service models and those offering a handful of specific business services, such as corporate finance advisory services.
Lack of understanding at a senior level
The FCA confirmed that board and management committees’ members interviewed found that it was challenging to fully understand and explain the specific cyber risks their firms face. They all indicated that despite some awareness of cyber crime, their limited technical understanding was restricting their ability to adequately plan and mitigate against the impact of a cyber breach.
Not all firms appeared to have considered the risk that their company may be used as a conduit to damage other firms or connected infrastructure. Nor had they considered that cyber attacks might be motivated by attempts to commit market abuse. The FCA commented, “We saw limited evidence of firms proactively trying to connect the dots between cyber and other conduct issues which may occur through cyber channels, such as market abuse and financial crime.”
Lack of cyber security skills
Many of the firms reviewed blamed the lack of cyber preparedness on their size, low risk-profile or the limited availability of a cyber skillset in the wider independent non-executive director population. Beyond the board and management committee, the second line of defence (the risk and compliance functions) had limited cyber technical expertise. Without adequate knowledge, second line functions may have limited ability to independently test and challenge a strong, technically-sophisticated first line. Firms that chose to include their CISO function in the first line alongside, or as part of, the IT function appeared to show a significant difference in the level of knowledge between the first and second line.
Overreliance on third party suppliers
Many companies indicated they might have an over-relied on third party service providers. The FCA warns “dependency on an external cyber partner could affect a firm’s development of its in-house cyber capabilities and the longer-term abilities of the board to objectively assess their firm’s cyber and control environment”.
As a cyber security service specialist working with private equity firms, we always advise our clients on both the effective technical and commercial (including compliance) management of cyber security. While it can be easier for us to talk with an in-house cyber IT professional, we believe that all third party suppliers have a duty to fully explain the nature of today’s complex cyber threats and directly relate to them to the business risks faced by their customers.
The FCA summarised their findings as follows:
- All the firms surveyed acknowledged the importance of strong cyber security
- There were different levels of understanding of the many ways that weak cyber security could affect their business and lead to harm to clients and the wider markets.
- Cyber security awareness was lower in firms that did not have a cyber-specific strategy and a proportionate cyber risk framework.
- Many cyber incident response plans take little account of non-technical consequences such as the impact to the firm’s reputation, clients and markets.