The frequency of IT outages for UK financial institutions has increased at an alarming rate, with some institutions demonstrating worrying weaknesses in their cyber resilience strategy, according to analysis from the Financial Conduct Authority (FCA).
The number of technology outages reported to the UK financial services regulator increased by 138% between October 2017 and September 2018, according to the FCA’s recent resilience study. Of the 646 technology and cyber incidents reported to the FCA, 79% were related to technology and 18% were cyber. The remaining 3% were caused by non-technical incidents, such as flooding.
Poor change management is the largest root cause of cyber incidents, according to the FCA study, which polled almost 300 firms during 2017 and 2018 and compared the results to cyber incidents reported to the regulator. One fifth of all operational incidents reported to the FCA (91 incidents) were related to a change in management.
According to Megan Butler, FCA Director of Supervision, the regulator is “deeply concerned” that the number of reported technology incidents has increased, with many outages linked to re-platforming and outsourcing failures. In particular, the regulator is worried that firms seem overly confident about their ability to manage flagship IT change programmes and keep their systems up to date.
This year has seen a number of outages at UK banks, including months of disruption for customers at TSB Bank caused by a problematic IT system migration in April. Barclays, RBS, Natwest and HSBC all suffered service outages in September and October 2018, while the Visa payment card system suffered a widespread outage in the summer. These outages, which follow similar service disruption as previous years, have sparked increased regulatory and political scrutiny.
A Treasury Committee recently launched an inquiry into outages and IT failures in the financial services sector. In July, the FCA proposed new regulatory requirements aimed at making the country’s banks, insurers and asset managers more resilient to technology related service disruption; such as a major IT outage, an outsourcing failure or a major cyber attack.
The latest FCA study identified a number of concerns for the regulator. Nearly half of firms do not upgrade or retire old IT systems in time. Many firms have yet to include key concepts – identification of important business services and the need to focus on recovery plans and customer communications - in their thinking, it says.
The report revealed a disconnect between firms’ own perceived strength during a change in management and the regulator’s experience of incidents being reported. According to Butler, this mismatch could be because leaders do not appreciate their level of risk, or because they overestimate their abilities.
Either way, leaders need board-level knowledge, in-house capability, and high quality management information to question the infallibility of their IT change programmes, Butler says in a recent speech.
THIRD PARTY VULNERABILITY
Third party issues, such as an IT failure at an important supplier, were also an area of concern highlighted by the study. Third party issues are the second highest root cause of cyber incidents, accounting for 15% of the operational incidents reported to the FCA.
The financial services sector is heavily reliant on third party contractors for its IT service and technology, yet they do not have a grip on the cyber security capabilities of these suppliers, the FCA says. At the same time, the report noted a worrying shortage of the cyber expertise required to manage this business model.
The FCA says it is disappointed with firms’ understanding of third party cyber risks. Only 66% of large firms and 59% of smaller firms understood their third parties’ response and recovery plans. These figures drop to 22% and 19% when it comes to explicitly including third parties in their own testing plans.
Some 80% of firms report they maintain a register of third parties, but only half say they maintain a comprehensive list of all third parties that have access to their systems and data.
According to Butler, firms are struggling to keep pace with the risks posed by technology and many are still trying to get the basics right within cyber. A third of firms do not perform regular cyber assessments and only the largest firms have automated their detection systems to spot potential cyber attacks.
According to Butler, the FCA is seeing some “serious vulnerabilities” across areas like identification of key assets, information and detection.
The vast majority (90%) of firms operate a cyber awareness programme, but the FCA study shows that businesses are struggling to identify and manage high risk staff, including those who deal with critical and sensitive data.
Nearly 80% of respondents say they struggle to maintain an up-to-date and consistent view of what information they hold or that their third parties, as well as their critical infrastructure. Some 79% of firms said they knew what their critical assets were, yet only 56% of firms regard themselves as able to measure the effectiveness of their controls in this area.
Firms also marked up challenges in identifying and managing their high-risk staff, or those more likely to be targeted by cyber criminals. Even where firms did identify staff in high-risk roles, only 47% say they provided additional cyber training for them. Given the prevalence of social engineering and phishing as a means of cyber attack, this presents a significant weakness, the FCA warns.
The FCA says the report findings will be used to inform future regulatory activity. In particular, the regulator says it will focus on third party management and change management in its supervisory plans for 2019.
Download Cyber Decoder
For more information please contact Sarah Stephens, Head of Cyber on +44 (0)203 394 0486.