Cyber and technology resilience in UK financial services

Speech by Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the FCA, delivered at Bloomberg, London.

Speaker: Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists
Event: Bloomberg, London
Delivered: 27 November 2018
Note: this is the speech as drafted and may differ from the delivered version

Highlights:

  • Firms have reported significantly more outages and cyber attacks over the last year
  • Cyber security is not just a technology risk, it is a human risk
  • According to our survey, nearly half of firms do not upgrade or retire old IT systems in time
  • Only 56% of firms say they can measure the effectiveness of their information asset controls.

As we’re closing in on 2019, this seems a good point to mention that next year – according to the original Blade Runner film – the Earth will be dealing with synthetic humans.

That prediction hasn’t aged particularly well. But it speaks to an important point. New technologies create threats that are extremely difficult to anticipate. And from a regulatory perspective, this is a fundamental challenge.

So my plan this morning is to give you an FCA view on how well UK financial services are managing risks associated with new technology. Using analysis that we’ve published today from our survey on tech and cyber resilience, which nearly 300 firms completed between 2017 and 2018.

Before I do that though, let me stress that the FCA starts from a position that innovation has had a fundamentally positive impact on UK finance.

It’s easy to be blasé about ‘everyday’ technologies like mobile banking, investment apps, fund transfer, wearable tech and contactless payment. But to a customer 20 years ago, they’d seem genuinely remarkable.

Likewise, in non-retail markets, we’ve seen steps forward in areas that no-one predicted. Like trading algorithms, blockchain technology, market infrastructure, and neural networks. Supporting liquidity and reducing trading costs, as well as improving execution quality.

A traditional view of regulation is that it is a barrier to this kind of progress. This is emphatically not the case with the FCA. We use our own technology to help model risk and detect issues like market abuse.

We also work extremely hard to promote useful innovation in financial services through both Innovate, as well as our regtech team, which is currently acting as an observer on a number of proof of concept anti-money laundering (AML) projects. We are trying to be at the forefront of the innovation and technology regulatory agenda.

Technology incidents are increasing rapidly

My primary focus though this morning, as I’ve said, is on the management of risk. Not the benefits of tech. And to that point, I want to start with the following warning.

On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services.

On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services.

In the year to October, firms reported a 138% increase in technology outages to the FCA, with 18% of all the incidents reported to us cyber-related.

I do want to stress a couple of points here though. First, the increase in incidents reported to the FCA doesn’t present a one dimensional picture of a surge in cyber-attacks and outages. Firms are reporting incidents more robustly. Albeit we strongly suspect that under-reporting is still a problem.

Second, the FCA does not expect ‘zero-failure’. A point that is explicitly made in July’s FCA, Bank of England discussion paper on operational resilience. In that we  talk about setting ‘impact tolerances’ and the ability of firms to ‘recover and learn from operational disruptions’.

If I can put that another way for today’s purposes: the true test of the resilience of UK finance is not the absence of incidents. It’s how well incidents are managed.

So from the FCA perspective, the really important questions are along the following lines. Are firms operating strong lines of defence? Are firms resolving issues swiftly? Are firms responding to emerging threats? Are firms managing third parties effectively?

And today’s report, which I’ll turn to now, gives us interesting clues as to the answers to those questions.

I’ll go through the key themes, which cover 28 questions on technology and 46 on cyber resilience. But I want to start with tech because its mass adoption is totally unprecedented. Raising fundamental questions about what happens when it goes wrong. Especially in industries, like finance, that have hallmarks of utility services.

Tech outages – impact and key issues

To put it bluntly, if your Amazon Alexa falls silent, you look out of the window to see what the weather is like.

If your bank stops working, your life and business can be severely constrained. A point that is especially true in the UK today with the decline in use of physical currency. And we should remember that this is the first year where the total number of debit card transactions has outstripped cash transactions.

So you won’t be surprised to hear me say that the FCA is deeply concerned that the number of technology incidents reported to us has increased, with many outages linked to re-platforming and outsourcing failures. The most prominent of these is perhaps TSB’s information technology (IT) migration earlier this year. But we’ve also seen a lot of recent outages caused by relatively small changes, usually made on a week day evening.

Now, as the Bank and FCA say in our discussion paper, everyone knows that firms need to make regular changes – of varying size and complexity – to technology estates, and that from time to time things will go wrong.

But we are worried that a lot of firms seem overly confident about their ability to manage flagship IT change programmes and keep their systems up to date.

Both large and smaller businesses described it as a strength in our questionnaire. Yet this is a level of confidence that simply isn’t supported by the data we’ve collected on the ground. 20% of the incidents reported to us over the last 12 months were explicitly linked to weaknesses in change management. Making it the most frequent cause of outages and implying a mismatch between corporate expectations and reality.

There are 2 possible explanations for this. The first is that people are ignoring dangerous or negative information. Behavioural scientists might describe this as an ‘Ostrich bias’. The second is that leaders don’t appreciate the level of risk, or else they overestimate their abilities. An overconfidence bias. And this overconfidence bias does seem to be particularly characteristic in financial services.

Either way, you reach the same answer. Leaders need enough Board-level knowledge, in-house capability, and high quality management information (MI) to question the infallibility of their big (and small) ticket IT change programmes.

What you tend to find in practice is often a little different. The tech landscape is characterised by massive outsource functionality in IT, with chief information officers (CIOs) commanding armies of semi-permanent contractors, or unregulated third parties. Yet only 66% of large firms, and 59% of smaller firms, tell us that they understand the response and recovery plans of their third parties. 

On top of this, we know there is a real problem at the moment around recruiting the right skills at the top level; to steer, set strategy and oversee this model.

Historically, and for most of my career in this industry, the rock stars of finance were always the alpha traders. Today, it’s the CIOs and IT consultants who are in high demand and short supply. Meaning the best are difficult to employ and hard to retain. A challenge reflected by the fact that all the wholesale banks and asset managers we met after this survey said they were concerned about a shortage of cyber expertise.

Tech – Managing those issues

So, how do we expect firms to deal with these issues?

The basic answer is that we’re happy for your business to find solutions that work for you. So long as they allow you to demonstrate your systems and controls work. Some businesses, for example, use training and simulation exercises to stress test their IT. Others bring in third party advisors to support Boards. Providing context and challenge to cyber strategies, as well as an impartial assessment of cyber resilience capability.

Our own observation is that the most effective management of risk takes place in firms that employ a traditional ‘three lines of defence’ model. And where each of these lines is strong. Creating clarity and identifiable roles, as well as a natural check and challenge between them that promotes a healthy culture.

I’d add that Boards and senior management can achieve better standards of operational resilience by focusing on the continuity of their most important business services. You will have seen the emphasis on this in the discussion paper, which says that we consider the continuity of business services ‘an essential component of operational resilience’.

The paper also makes it clear that: ‘avoiding disruption to a particular system supporting a business service is a contributing factor to operational resilience’ and that ‘ultimately, it is the business service that needs to be resilient – and needs to continue to be provided’. A point addressed, at least in part, by the addition of technology resilience to the Chief Operations function under our senior managers regime.

Nonetheless, we are conscious that all of this still surfaces that challenge of skills at board level. As I’ve said, there needs to be enough understanding of risk and technology at the highest level of firms to take sensible decisions.

This challenge is raised to me more often than any other at Board level. Some try to achieve this by imposing tech expertise directly onto a Board.  This gives its own challenges as this solution runs the risk of diluting the joint responsibly taken by Boards, quite apart from the problem of technology expertise rapidly becoming out of date.

How you deal with issues of this kind will depend on the context of the organisation. I’ll just say though that I think this is a wider issue than a lack of deep IT knowledge. The culture that Boards create is also fundamental.

Are you establishing appropriate tolerances for operational disruption? You will have seen last week’s announcement of the Treasury Select Committee enquiry into IT failures in financial services.

Are back-up plans in place?

Are there response and recovery options?

Do your staff and contractors take into account the long-term interests of customers?

And do you have appropriate staff training?

My point here being that a lot of the time, it isn’t technology at fault when things go wrong. It’s classic systems and control failures. 

Take Tesco Bank’s cyber attack as an example: It had specific warning of the threat and failed to put in place an effective defence, which left its customers in a vulnerable position for a significant period of time. It then had to fix the problem in an urgent situation as attacks to its customers were being made which, in the end was effective, but only after attacks had succeeded. It then acted promptly to remediate and redress the harm. But it should never have exposed its customers to a known cyber risk.

Cyber attacks – impact and key issues

And this brings me on to my second theme this morning. Cyber resilience.

Attacks are, unfortunately, now a familiar story.

NotPetya is probably the most publicly recognisable because it paralysed some of Europe’s largest companies, and took out critical infrastructure in Ukraine’s banking system. But the cast list of organisations hit by big data leaks is long and growing: Cathay Pacific, JP Morgan, British Airways, Yahoo, My Heritage, Facebook, eBay, Uber and Equifax among them.

You’ll notice that financial services aren’t over represented in that group. And our analysis today suggests this isn’t just luck. Areas like retail banking, payments, and pensions and retirement income, in particular, describe themselves in our report as having effective cyber controls. 

But it is important to say that we are seeing some serious vulnerabilities across areas like identification of key assets, information and detection.

Again, I emphatically do not want to underplay the nature of the threat facing firms.

‘Business-like’ is perhaps the best way of describing cyber-criminals’ approach. They are attracted to it because they see it a low-risk, high-reward model. And they are continually lowering technical barriers to entry. Making crimeware-as-a-service available on the dark web.    

The result is that the current threat level is remarkable. Cyberattacks are now sandwiched between ‘failure of climate-change mitigation’ and ‘large-scale, involuntary migration’ on the World Economic Forum’s 2018 risk landscape. And it is believed that Webstresser, the online cybercrime market, has been used to launch some 4 million Distributed Denial of Service Attacks.

the current threat level is remarkable. Cyberattacks are now sandwiched between ‘failure of climate-change mitigation’ and ‘large-scale, involuntary migration’ on the World Economic Forum’s 2018 risk landscape

This creates risks not just for individual customers’ money and data. But for the UK economy. A point explicitly picked up in July’s joint discussion paper and last week’s Government report on the security of critical national infrastructure. Both of which talk through the systemic risks that cyber attacks could introduce.

Keeping this in mind, it is a major concern that a lot of firms still seem to be trying to get the basics right on cyber.

A third of firms do not perform regular cyber assessments. Most know where their data is. But describe it as a challenge to maintain that picture. Nearly half of firms do not upgrade or retire old IT systems in time. Only 56% say they can measure the effectiveness of their information asset controls.

And only the largest firms have automated their detection systems to spot potential cyber attacks. Smaller firms are generally relying on old school, manual processes – or no processes at all. A problem if you need to respond to a fast-moving incident like a WannaCry or NotPeya attack.

Cyber attacks – managing those issues

Again, the problem here (leaving the perpetrators to one side for a moment) is fundamentally a systems and controls issue.

According to today’s report, the most mature sectors (in terms of the cyber capabilities of large firms) are, non-bank payments, retail banking, and wholesale banking. In that order. The least mature are, wholesale markets, retail investments, and retail lending. Among smaller firms, general insurance and protection are the most mature. Retail investments the least.

The essential point to make here though is that irrespective of firm size or sector, cyber is not just a technology risk; it is a human risk.

Computers are perfectly neutral regarding their output. It is your people  who decide whether to use them for a specific reason, and what the purpose of that is. That use can be intentional or unintentional, sender or recipient, attacker or victim. We’re humans, we make mistakes.

So if we fail to educate and support people, and an employee then triggers an impact, is that their issue? Or did their employer fail to provide them with the support that they needed to perform their role?

At the moment, a lot of firms – 90% in fact – tell us that they operate a cyber awareness programme. But a theme of today’s report is that businesses are struggling to identify and manage high risk staff, including those who deal with critical and sensitive data.

By creating a positive security culture you can build a truly resilient business. You can use the eyes and ears of your firm to react and respond to threats quickly (and accurately) and hopefully deal with issues before they ever become an incident. Recognising this success then helps to build and reinforce that secure culture.

Conclusion – International work

I want to conclude though with a quick point about the responsibilities of the FCA and other regulators.

I hope I’ve made it clear this morning that we understand the sophistication of the threats you face, and how difficult they are to manage.

Our intention is to provide assistance to you where we can. And it’s in that spirit that we’ve published today’s report, along with an infographic on ransomware incident. This adds to other information already available on our website. Please read it and follow National Crime Agency advice not to pay.

It is also why we take our international responsibility extremely seriously. The FCA has contributed to the Financial Stability Board’s Cyber Lexicon, created to provide clarity and understanding on cyber security language when used between different jurisdictions.

For light reading, the G7 has also published further ‘Fundamental Elements on Third Party Risk Management and Threat Led Penetration Testing’, where the FCA again provided significant contribution.

And it continues to work on Cross-Jurisdiction Exercising and Cross-Sector Co-ordination, designed to broaden the sector’s understanding of potential risks, develop more efficient responses to incidents, and increase resilience.

These are important steps. Albeit we understand that not every country is positively engaged.

To end, let me thank you again and leave you with that message around the importance of a positive security culture. With all your people acting as your eyes and ears. Because even rock star CIOs can’t shoulder all the responsibility.