City watchdog warns of ‘increasing threat’ of cyber attacks
In the year to October, firms reported a 138% increase in technology outages to the regulator, alongside an 18% increase in cyber incidents.
And the problem could be even worse, as businesses are likely to under-report such events, the FCA said.
Despite the high-profile IT meltdown suffered by TSB, as well as a number of digital attacks on well-known brands, the risks are not decreasing, according to Megan Butler, executive director of supervision – investment, wholesale and specialists at the Financial Conduct Authority (FCA).
In a speech today, she said: “On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services.
“And all the trends that we’re seeing at the moment suggest an increasing threat to UK customers, and financial markets, from technology outages and cyber attacks.”
Butler warned that cyber criminals are “Business-like” in their approach.
She said: “They are attracted to it because they see it a low-risk, high-reward model.
“And they are continually lowering technical barriers to entry. Making crimeware-as-a-service available on the dark web.
“The result is that the current threat level is remarkable.”
Firms over confident
Butler added the FCA is “worried that a lot of firms seem overly confident” about their ability to manage IT change programmes and keep their systems up to date.
She said: “You won’t be surprised to hear me say that the FCA is deeply concerned that the number of technology incidents reported to us has increased, with many outages linked to re-platforming and outsourcing failures.
“The most prominent of these is perhaps TSB’s IT migration earlier this year.
“But we’ve also seen a lot of recent outages caused by relatively small changes, usually made on a week day evening.”
The FCA found 20% of incidents reported over the last 12 months were a result of weaknesses in change management, making it the most frequent cause of outages.
It is also “a major concern” for the regulator “that a lot of firms still seem to be trying to get the basics right on cyber”, according to Butler.
A third of firms do not perform regular cyber assessments and nearly half of businesses do not upgrade or retire old IT systems in time.
Only the largest firms have automated their detection systems to spot potential cyber attacks, the regulator found.
How to resolve issues fast
Firms have been urged to consider whether they are operating strong lines of defence and able to resolve issues quickly.
Butler said the regulator is looking at how businesses are responding to the emerging threats.
Only 66% of large firms, and 59% of smaller firms, understand the response and recovery plans of third parties brought in to handle IT changes, according to FCA research.
Firms must understand and consider risks, including at the very top of businesses.
Butler said often it “isn’t technology at fault when things go wrong. It’s classic systems and control failures”.
She added: “We’re happy for your business to find solutions that work for you. So long as they allow you to demonstrate your systems and controls work…
“There needs to be enough understanding of risk and technology at the highest level of firms to take sensible decisions.”