The potential impact on financial stability is pushing regulators and policymakers to step up their scrutiny of cyber security threats. Manu Sharma reviews recent developments and what they mean for the financial sector.
Contents

The financial sector has always been a significant target for cyber criminals and the approaches continue to grow in sophistication. For example, last year’s Fakecalls trojan horse malware introduced a fake banking app with inbuilt telephone support that connected the user to a scam operator – despite showing a contact number for the bank. Similarly, the SharkBot trojan was in a range of Android apps, which secretly initiated banking transfers from the user’s phone. Not to mention the high number of cryptocurrency thefts, which continue to threaten investor security.

A risk to financial stability

These incidents are by no means isolated and can lead to expensive remediation work, as well as loss of trust and reputational damage. The average cost of a data breach in the financial sector is now around USD 4.45 million (£3.55 million), according to an IBM report, while a recent high-profile case saw the Financial Conduct Authority (FCA) fine a single firm £11.2 million. But taking a broader view, cyber and data breaches can also threaten the wider financial system and affect stability.

Elisabeth Stheeman, external member of the Bank of England Financial Policy Committee, stressed this in a recent speech at the London School of Economics, where she discussed the importance of good cyber security across the financial sector. Citing the Bank of England’s 2022 cyber stress test  [173KB], she pointed out the wider impact of a cyber security incident and its potential effect on financial stability.

These concerns are by no means unique to the UK, and have been echoed in a range of international publications. For example, the Financial Stability Institute (FSI) [1.03 MB] recently highlighted that cyber security is a fundamental pillar of the financial sector and discussed the range of regulatory approaches under way. The US Federal Reserve Board has also flagged the importance of effective cyber security, with Ransomware-as-a-Service, poor authentication mechanisms, and third-party attacks as key threats to the resilience of the financial system.

Direct and indirect financial impacts

When looking at the impact of poor cyber security, it’s important to look at both direct and indirect impacts. For example, a cyber incident that materially disrupts a service that is vital to financial institutions, markets or market infrastructure would count as a direct impact. This includes specific events, such as the October 2016 Flash Crash, which was partly due to a rogue trading algorithm.

But these kinds of events can have a broader impact, leading to liquidity stress or financial losses (among others) with potential contagion across the wider market – indirectly affecting financial stability.

International approaches to regulating cyber risks

The FSI also reported on the range of regulatory approaches taking shape in different jurisdictions. Broadly speaking, these tend to follow two paths:

  • Folding cyber risk into existing regulatory frameworks covering topics such as IT or operational resilience
  • Creating new regulations to establish specific cyber requirements

Regardless of the approach, regulators are generally taking a non-prescriptive stance, proportionate to a firm’s size and business activities.

The FSI also noted a shift in regulatory outlooks between early first-generation cyber regulation and more recent second-generation cyber regulation. While the first generation aims to prevent cyber breaches, the second generation assumes that cyber incidents will happen and focuses on cyber resilience to restore services that could affect financial stability. This includes a greater focus on cyber strategy, incident reporting, resilience testing and intelligence sharing. But that doesn’t absolve firms of their responsibilities to take reasonable action to prevent these incidents from happening.

What are the UK's cyber security priorities?

In the UK, the Financial Policy Committee sees cyber security as the most pressing operational risk for the sector and a significant threat to financial stability. The recent Bank of England Systemic Risk survey reflects these concerns, with 80% of banks and financial institutions listing cyber security as a key risk – overtaking geopolitical risks from the previous iteration. However, these threats aren’t mutually exclusive and the National Cyber Security Centre (NCSC) highlights that geopolitics is a key driver behind current cyber threats – which may grow over the coming years.

While good cyber security is a must, it isn’t enough on its own and firms need to embed it within a robust cyber resilience framework. Last year’s cyber stress test underlined this point by assessing a hypothetical cyber incident that redirected payments at two specific firms. The results highlighted some key learnings for firms across the sector, regardless of their size:

  • Effective contingency planning is essential – this relies on good data and adequate investment
  • Firms need to consider mitigating actions – to reduce customer confusion, maintain public confidence and prevent contagion
  • The industry needs firms to work with each other for prompt and co-ordinated decision-making
  • Good communication is vital with timely, consistent and effective updates for a wide range of stakeholders including customers, the media and the regulators

Applying this feedback across the sector will help firms boost their cyber resilience and mitigate the risk of financial stability in the event of a cyber incident.

How are cyber approaches translating into regulation?

With a focus on cyber resilience, the UK is in its second generation of cyber security regulations and follows a cross-cutting approach. That makes it difficult to take a comprehensive look at cyber regulations as they are mostly embedded within a broader range of rules. Key initiatives include the following:

Operational resilience

The regulation has been in place for a few years now, but last year the Prudential Regulation Authority (PRA) and FCA launched a joint discussion paper (DP2/22) covering ‘Critical third parties to the UK financial sector’. The proposed regime would allow the Treasury to designate some third-party providers as critical, and give the regulators the power to take action against providers that aren’t meeting expectations. This is consistent with international approaches, such as the Digital Operational Resilience Act (DORA), which aims to boost digital resilience across five key areas including third-party risk.

NCSC supply chain security guidelines

While not a regulation, firms should also consider best practice guidance from the National Cyber Security Centre on supply chain security. This is sector-agnostic but will ultimately support operational resilience, and DP2/22 and DORA implementation.

Senior Managers and Certification Regime (SM&CR)

Cyber security is now typically an overall responsibility under the SM&CR, sitting under the chief operations (SMF24) role. To meet FCA expectations, the senior manager must demonstrate that they are taking reasonable steps to mitigate cyber risks and embed effective cyber resilience processes.

Firms must disclose material cyber incidents promptly to the FCA

This includes incidents where a firm has found malicious software or unauthorised system access, resulting in significant data loss, affecting a large number of people. Firms also need to report significant data breaches to the ICO within 72 hrs.

CBEST and CQUEST frameworks

These Bank of England cyber security assessment frameworks aim to improve the financial sector’s resilience to cyber-attacks. Applying to specific organisations and financial market infrastructure firms, CBEST reflects an intelligence-led approach to penetration testing to identify vulnerabilities and improve cyber security. CQUEST helps the regulators gauge the sector’s cyber risk and resilience capabilities.

Consumer Duty 

One of the cross-cutting rules is for firms to avoid causing foreseeable harm to retail customers. Firms can cause foreseeable harm to customers through their actions and omissions. Whether harm is considered foreseeable would depend on whether a prudent firm acting reasonably would be able to predict or expect the ultimately harmful result of their action or omission in connection with the product or service. This includes preventing cyber incidents, and reducing their duration and impact.

Network and information systems (NIS) regulations compliance

This applies to medium and large operators of essential services and relevant digital service providers, and creates consistent standards for network and information systems. This is an EU regulation, transposed into UK law, but is now subject to post-Brexit divergence. NIS2 applies from October 2024 and broadens the requirements of the original regulation. It applies to in-scope EU firms and UK firms that conduct business in the EU. All other in-scope UK firms continue to follow NIS, with some amendments.

PSP annual risk assessments

Payment service providers (PSPs) must submit an annual operational and security risk assessment to the FCA, as part of the European Banking Authority (EBA) guidelines for operational and security risk.

There are also the FCA’s principles and the PRA's fundamental rules to consider. Applying to all firms within their respective remits, these rules include cyber security elements throughout, and firms need to think about their application in the context of broader challenges, such as third-party risk, cloud risk and concentration risk.

What financial services firms need to do now

You need to make sure your cyber security and cyber resilience processes are in line with regulatory expectations. To achieve this, cyber security teams need to work more closely with compliance to fully understand the PRA and FCA’s rules, and wider regulatory expectations – and crucially what they mean in practice. Mapping these expectations to the supporting cyber security activity will help safeguard these endeavours from process changes, and boost resilience in the long term.

Things to consider:

  • How your cyber strategy and governance processes reflect the firm’s risk profile and risk appetite
  • What measures are in place to prevent, monitor and report cyber incidents
  • How to share intelligence across the wider market and stay up to date with latest developments
  • How to measure and test cyber resilience, and apply lessons learned
  • How to embed cyber security hygiene factors across the organisation to reduce risks from crystallising
  • How to monitor third-party dependencies
  • How to create effective cyber security training and create a robust cyber culture

These steps will improve a firm’s individual cyber security posture, helping to reduce the potential for a disruptive incident, while putting effective controls in place to reduce the cost, impact and reputational damage if the risk does materialise.

For more insight and guidance on cyber security and how it relates the regulatory landscape contact Manu Sharma.