Building cyber resilience

Speech by Robin Jones, Head of Technology, Resilience & Cyber at the FCA, delivered to the PIMFA Financial Crime Conference, London.

Speaker: Robin Jones, Head of Technology, Resilience & Cyber
Event: PIMFA Financial Crime Conference, London
Delivered: 25 January
Note: this is the speech as drafted and may differ from the delivered version

Highlights

  • It is vital that firms protect their critical information, detect attempts to breach these protective controls and respond quickly and effectively.
  • We do not operate in a zero failure environment and cyber-attacks will actively adapt to defensive controls.
  • Resilience is key. Build effective cyber capability, implement effective accountability, and be prepared and able to enter recovery at any time.
  • Put the foundational elements in place, help your people to be secure and implement effective governance.

Technological innovations transform how we live. Think of the internal combustion engine – first patented in 1794. This led to the first cars in the mid-1880s; the Wright Brothers aeroplane in 1903; and the first liquid fuelled rocket in 1939. This technology made transport more efficient. We have revolutionised how we connect people and can even see our planet from space. But with new innovation comes new risks. We have learned new behaviours to manage these risks.

In 2017 we had 69 material attacks reported to us, an increase on the 38 last year and 24 the year before.

Turning now to digital innovation; the first computer was made around 1948, the World Wide Web in the 1980s and cloud computing today. These innovations connect us all to each other, to services and to data. But, as I have said, with innovation comes new risks and cyber presents a very significant risk in its scale and unpredictability, you all know this. But in the same way we have managed risks from combustion engines, we need to understand how we can minimise the harm from a cyber-attack. As set out in the government’s National Cyber Security Strategy 2016 to 2021, we need to be secure and resilient, whilst remaining prosperous and confident in a digital world.

In the last 3 years there have been significant data thefts or systems crippled by ransomware. Well publicised examples include:

  • SONY
  • Talk talk
  • Wannacry
  • Equifax

In the past 12 months, the National Cyber Security Centre recorded over 1100 reported attacks, with 590 regarded as significant. 30 of these required action by government bodies, a number of which included the Financial Sector. In real terms, the UK deals with more than 10 significant cyber-attacks every week. In 2017 we had 69 material attacks reported to us, an increase on the 38 last year and 24 the year before. Recent ONS statistics show about 1.9 million incidents of fraud were cyber related.

The personal problem

Today we are seeing individuals and criminal groups developing tools and exploiting vulnerabilities on an industrial scale. And with the speed of data processing and interconnectedness of systems, attacks travel fast.

In June 2017, still raw from the unprecedented global events caused by WannaCry, the world saw a second attack; NotPetya. This attack was designed to spread fast and cause maximum damage to companies of all sizes, using the powerful Petya malware code combined with leaked NSA exploits. For those that patched the vulnerabilities identified by Wannacry the attack was contained quickly.

The NotPetya malware was designed to use a collection of tools to infect machines and travel through a network as rapidly as possible. One report put the time of total failure of one of the largest victims of the NotPetya attack, with almost 10,000 connected systems, at just 19 minutes.

What do we expect to see?

If your firm had 19 minutes where would you start? Consider that this was the time it took to infect 10,000 systems. Is your estate smaller? If it is, then you should reduce the amount of time; so now you have even less time to react. Where would you start with less time?

In a digital world, as a regulator we care about resilience.  Our vision of resilience is that firms can protect themselves from many attacks, identify threats, and vulnerabilities. But we know attacks will happen.  Therefore, firms should be able to detect attacks that are successful and know how to respond to and recover: to contain any disruption, restore lost service or protect vital data - quickly.

Firms should be able to detect attacks that are successful and know how to respond to and recover.

These are the basic principles of cyber resilience. How firms achieve these basic principles will depend on what is appropriate for each business, its customers and suppliers. Our ambition is to raise awareness and the capability of the firms we regulate to have good cyber hygiene, a good security culture and good governance. We want you to be as secure and resilient as you can be and we recognise that this will mean different things to different sizes and business models of firms we regulate.

What do we want you to do?

You need to have an understanding of your key assets and be constantly assessing where they are vulnerable. If you only had 19 minutes, what would you need to protect the most? A firm which understands what its critical assets are - and their back up arrangements - is much better informed to protect those assets than one that does not. And for data theft, the focus is on knowing what is important and protecting that and your customers from its theft. Many attackers have exploited the simplest and oldest vulnerabilities, so addressing basic hygiene factors such as vulnerabilities in old systems or patching on a regular cycle is important.

But it’s not just about technology: people can often be the weakest link. We have said previously that staff awareness is a vital element of protection – e.g. to spot phishing emails, ensure password disciplines and data controls are maintained. And what about your suppliers? Who has access to your systems? Do they need it? Change passwords regularly, manage access to your systems and classify your data; these are a few of the ways that you can build layers of resilience to create a good security culture with all your staff.

All of these mean putting strong governance in place and having visible leadership.

It is critical that business leaders understand what a cyber-attack could do, how to respond and recover. We understand this makes demands of already busy senior leaders. But we think it is important this is no longer confined to the technology department. It needs to move into the Board room. It needs to be understood as a significant risk to the operation of a business, its consumers and wider markets.

We can all think of businesses which have suffered from high profile cyber-attacks in the last 12 months. We can learn some key lessons from the cyber-attacks that have already happened. 

The first lesson is addressing the basics. As I have already said, attacks often exploit well-known vulnerabilities. When the National Audit Office investigated the Wannacry incident, they found that much of the attack could have been prevented if the NHS had followed basic security best practice. 

The second lesson is to detect attacks, stop them spreading and have in place robust contingency plans. The best way to mitigate a ransomware attack is to have a back up: know and agree your organisation’s tolerance for systems or data being unavailable.

The third lesson is to ensure any contingency plan includes a communications plan. For example, know how to get hold of key people, how to contact staff and very importantly how to contact consumers and suppliers – and authorities. Too often we see firms creating these plans at the same time as dealing with the effects of an attack - juggling containment and recovery with consumer questions, press and supplier enquiries which all mount up very quickly.

I will give you an example. Last year, during a financial sector contingency planning exercise, one particular financial firm stood out. The firm had thought about lesson three – they had a clear well thought out plan and they executed it effectively.  They had thought ahead of time what their customers may need in the event of an attack: for example what to do or where to go. Indeed it became so apparent that others participating in the same exercise began to do the same and quickly updated their customer communications through their websites and other media outlets. Response and recovery require thought out plans in advance which have been practiced and tested – they should not be created as the incident unfolds.

Our agenda

From a FCA supervision perspective, we use a risk-based approach, concentrating our biggest effort on those firms with the potential to cause biggest harm to both consumers and markets.

We have recently carried out assessments across many of the sectors we regulate and have seen the following areas where firms could improve: focusing on basic hygiene, being better at identifying their critical assets including data, improving detection of attacks (e.g. using monitoring software). There also needs to be a focus on security culture amongst all staff e.g. training and awareness and raising levels of understanding at Board level. If you can improve in these areas, you will build a more resilient foundation focused on the right security controls on the right systems and data, and you will be able to spot abnormal activity so that your staff become part of your system of protection.

As a supervisor of 56,000 firms we have actively sought to support smaller firms as we will not be able to review in detail the resilience of whole sector. That is why we have published an infographic, in partnership with HMT, Bank of England, Prudential Regulation Authority (PRA) and National Cyber Security Centre (NCSC). This gives information about basic cyber hygiene and what to do if there is an attack including who to contact. For example smaller firms can use NCSC’s Cyber Essentials accreditation and connect to the Cyber Information Sharing Partnership (CISP) run by the NCSC. We plan further such communications during this year as we are passionate about increasing awareness and resilience across the financial sector. We consider this infographic to be of particular relevance to some of our smaller organisations.

We continue to work very closely with other financial authorities and the NCSC. Our work with the Bank of England and Prudential Regulation Authority continues, the first round of CBEST testing is complete and we are working together on the evolution of CBEST. Our work with the NCSC provides us with wider industry engagement, using the significant amount of material available to support firms of any size and providing guidance on best practice in cyber resilience. If you don’t already, I encourage you to use these resources.

We have also introduced cyber co-ordination groups across different financial sectors with over 175 firms participating on a quarterly basis. Firms share information about cyber experiences to help promote understanding and increase awareness. These networks are vital in helping to stop contagion across sectors as well as providing opportunities to share thoughts and ideas. We are actively investigating ways to share the outcomes and key themes from these groups with a much wider financial sector audience, to benefit those firms who are unable to attend and provide context between the various sectors and better inform the industry.

The cyber landscape is complex and unpredictable. When attacks happen they happen fast, in just minutes

Finally, and very importantly, we want to ensure that firms know how to respond when they are attacked. We work closely with the other Financial Authorities and the NCSC to ensure that appropriate levels of support are provided for firms that require it. And that communications channels are made available for other firms to be made aware of an incident if appropriate. Of course, we do require firms to tell us promptly. We have worked with industry and with the other Financial Authorities to create the Financial Sector Incident Response Guide. This guide provides useful advice to all firms about where to seek help, what reporting responsibilities are, and how to properly respond to a cyber incident. It is freely available on CiSP and I encourage you to get a copy for your organisations.

Conclusion

The cyber landscape is complex and unpredictable.  When attacks happen they happen fast, in just minutes.  That means response and recovery are just as important as protection and detection.

At the FCA we want firms to be resilient and robust. That means you understand what to protect, how you can swiftly detect an attack, and how you can respond and recover. If you can do these you will have built a successful foundation for resilience.

Our challenge to you all is to embrace this effort. Attacks will happen, so be critical of yourselves, learn new behaviours and build resilience.

Thank you.