Cyber risks pose a threat to all financial services firms. Firms should be aware of the threat, able to defend themselves effectively, and respond proportionately to cyber events.
Our goal is to help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld.
Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets - hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.
Cyber security is a shared responsibility, and we take a co-operative approach to address this threat, working with government, other regulators, nationally and internationally on this important issue.
The National Cyber Security Centre provides a broad range of guidance on how firms can protect their information and systems and how to respond to a cyber attack. We have also published a number of different publications and webpages on cyber security:
- Cyber security – industry insights (March 2019)
- Wholesale banks and asset management cyber multi-firm review findings (December 2018)
- Cyber and Technology Resilience: Themes from cross-sector survey 2017-18 (November 2018)
- Megan Butler, Executive Director of Supervision - Investment, Wholesale and Specialists at the FCA, delivered a speech looking at some of the key themes from the cross-sector report (November 2018)
- An infographic about responding to ransomware (November 2018)
- An infographic on the basics of network security (June 2018)
- Robin Jones, Head of the Technology, Resilience and Cyber Department at the FCA, delivered a speech on building cyber resilience (January 2018)
- A guide for firms on the foundations of good cyber security (June 2017)
- Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services (July 2018)
- Information on fake emails from the FCA (May 2017)
- A statement on the recent ransomware attack (May 2017)
- Nausicaa Delfas, our chief operating officer, delivered a speech outlining our approach to cyber resilience in September 2016
- Nausicaa also delivered a speech on the current threat landscape in April 2017
Reporting a cyber incident
Under Principle 11 of the FCA Handbook, you must report material cyber incidents. An incident may be material if it:
- results in significant loss of data, or the availability or control of your IT systems
- affects a large number of customers
- results in unauthorised access to, or malicious software present on, your information and communication systems
We will update these requirements in line with any future regulations.
How to report a cyber incident
1. If you judge a cyber incident to be material, report it as follows:
- Fixed firms should contact their named FCA supervisors, and flexible firms should call 0300 500 0597 or email [email protected].
- If your firm is dual-regulated, you should also contact the Prudential Regulation Authority.
- If the incident is criminal, you should contact Action Fraud or call them on 0300 123 2040.
- If the incident is a data breach, you may need to report it to the Information Commissioner's Office.
2. Refer to the NCSC guidance on reporting incidents.
3. Share on the CiSP platform.
Cyber and operational resilience testing
To help both firms and us to understand their cyber resilience capability at a high level, the FCA and PRA have created a self-assessment questionnaire. CQUEST consists of multiple-choice questions covering aspects of cyber resilience, such as:
- Does the firm have a board-approved cyber security strategy?
- How does it identify and protect its critical assets?
- How does it detect and respond to an incident, recover the business and learn from the experience?
The answers provide a valuable snapshot of a firm’s cyber resilience capability, and highlight areas for further development. If you would like to complete the questionnaire please email: [email protected].
The FCA has created a broader operational resilience self-assessment questionnaire to help both firms and us understand their operational resilience (including cyber) capabilities. If you would like to complete the questionnaire please email: [email protected].