This publication provides an overview of insights arising from the discussions held at the FCA’s quarterly Cyber Coordination Group (CCG) meetings throughout 2021.
This publication is split into 3 sections: the first highlights the cyber risk landscape, as well as emerging cyber risks discussed at the CCGs in 2021. This is followed by 2 focus topics in which we summarise members’ insights on board engagement with cyber security and the state of DevSecOps. The focus topics are agreed prior to each forum by the industry and FCA co-chairs.
Background to the Cyber Coordination Groups
Since the CCG programme was launched in 2017, the CCGs have brought together cyber security and technology risk leaders from industry in shared forums and connected them with multiple authorities responsible for cyber resilience across the financial sector, to discuss key topics in a secure environment.
The member firms were joined by representatives from UK financial authorities and UK Government agencies (the Authorities) including the Treasury, the FCA, the Bank of England, the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).
The CCG forums are held on a quarterly basis with the aim to help firms share knowledge, challenges and good practices for protecting the financial sector from cyber threats. They also promote engagement between the financial sector and the Authorities.
In 2021, we held 30 forums and brought together 152 firms across 7 CCGs, with each CCG representing a specific sub-sector. These sub-sectors were Insurance, Investment Management, Fund Management, Retail Banking and Payments Firms, Retail Investments and Lending, Brokers/Principal Trading Firms and Trading Venues/Benchmark Administration Firms.
The FCA also supports the Trade Association Cyber Information Group (TACIG) forum which brings together leading Financial Sector Trade Association bodies, to maximise information sharing relevant to the financial sector.
This is our fourth annual CCG insights publication. As with previous years, it draws on the knowledge shared from the past year’s CCG discussions, with the aim of sharing information and good practices to the wider financial sector. The insights cover broad cyber risks that span sector priorities as well as the key themes that were discussed in depth by some or all the CCGs.
The key insights discussed in this publication include:
- Malicious cyber actors targeting internet-facing systems such as email servers and virtual private networks (VPNs) with newly disclosed vulnerabilities, ransomware attacks using Remote Desktop Protocols (RDP) and unpatched devices, denial of service attacks, and inadequate supply chain oversight leading to supply chain compromise.
- The coronavirus (Covid-19) pandemic continued to impact the sector in 2021, with the challenges posed by remote and hybrid ways of working.
- Emerging trends in cyber security risks, include supply chain compromise and exploit of zero-day vulnerabilities.
- The importance of board engagement in setting the organisational cyber risk appetite. This also extends to board support in measuring the effectiveness of cyber security postures, and board assurance that supply chain partners effectively protect the information shared with them.
- Several common good practices can be used for implementing security in the early stages of the software development cycle (also known as DevSecOps). This includes empowering rather than mandating security practices and giving access to security tools to the development teams.
This publication is not FCA guidance on rules under section 139A of the Financial Services and Markets Act 2000. It does not set out FCA expectations for systems and controls that firms should have in place to comply with our regulatory requirements.
All insights have been shared by one or more firms within the CCGs, and much of the discussion supports existing guidance from the NCSC.
Section 1: Cyber threats and emerging trends
The cyber threat landscape continues to evolve rapidly. Global cyber threats such as abuse of zero-day vulnerabilities or using ransomware to launch attacks on firms and supply chains are posing significant challenges for the financial sector.
The pandemic continued to present financial services firms with many information security challenges including an increase in targeted phishing campaigns using spoofed emails and researched targets rather than generic phishing emails, invoking of extensive business continuity plans as well as significant changes to the ways firms operate day to day.
In this section, we summarise the main cyber risks identified by CCG members throughout 2021, as well as several emerging cyber security trends.
Malicious cyber actors
Some CCG members highlighted the risk of malicious cyber actors targeting internet-facing systems such as email servers and virtual private networks (VPNs) with newly disclosed vulnerabilities. The CCG members discussed with the NCSC and international partners joint advisories on these topics such as Microsoft Exchange and Fortinet advisory.
Ransomware attacks continue to challenge firms
The NCSC stated that by April 2021, it had handled the equivalent number of ransomware incidents as it had across all of 2020 – which was also a 300% increase on 2019. The NCSC reported that the most common entry points used by threat actors for ransomware attacks were Remote Desktop Protocols (RDP) ports as well as unpatched software, hardware or VPN.
CCG members agreed that weak user authentication and port targeting were 2 of the main vulnerabilities present in the RDP that led to successful cyber security attacks.
Supply chain oversight is an increasingly complex security challenge
Inadequate oversight of supply chains, as well as the poor security postures of suppliers, continue to be a challenge for member firms. Members noted that in some cases oversight of supply chains can fall under separate business functions, which require extremely close and collaborative working relationships across the organisation.
Understanding where third party software has wide-ranging access is critical to IT governance. This could be, for example, with endpoint tools and vulnerability scanners. These utilities should be the focus for enhanced monitoring and/or privileged access controls.
Members said some current third-party due diligence is outdated and ineffective. Members shared that questionnaire-based due diligence does not necessarily identify risks of sophisticated attacks or of compromised software. Member firms suggested that an alternative should be developed, such as an independent body providing assurance of suppliers to the financial sector via a shared assessment scheme.
Working securely during the pandemic
The coronavirus pandemic continued to impact the sector in 2021, with challenges posed by remote and hybrid ways of working and increased use of VPNs. CCG members also discussed challenges in monitoring employees working remotely. This topic was widely covered in 2020 Cyber Insights publication.
CCG members identified supply chain compromise and zero-day vulnerabilities as the top 2 emerging trends they were most focused on.
Supply Chain compromise – legacy from SolarWinds
The SolarWinds incident that was discovered in late December 2020 was a topic of interest for member firms in 2021. In April 2021 the NCSC, together with its U.S. security counterparts, shared its view that Russia’s Foreign Intelligence Service (SVR) was behind the SolarWinds attack.
An attacker is likely to have been able to add a malicious, unauthorised modification to SolarWinds Orion products to send administrator-level commands to any affected installation. The SolarWinds platform IT management platform was subsequently used to deliver onward attacks to connected systems.
CCG members discussed how the SolarWinds incident impacted sector-wide resilience and in particular the severity of recent supply chain incidents.
Members agreed that reacting quickly once a breach has occurred is critical, especially in cases where a nation-state actor may be involved.
Fast patching was highlighted as vital for this type of incident. Members agreed that communication between Crisis and Business Continuity Management teams and Cyber Security teams is essential.
Reaching out to critical suppliers and partners and understanding how they’ve been affected was critical.
It’s also important that boards took a keen interest in this incident and sought assurance. However, responses to SolarWinds were generally slow, and many suppliers are not regulated to the same degree as their financial services clients (eg CCG members).
Members proposed setting stricter service-level agreements in firms’ contracts with third parties to help address this.
Members reported that there has been little change in threat modelling after SolarWinds. However, they noted that the likelihood of supply chain compromise may in fact increase as SolarWinds would have been seen by attackers as having been highly successful.
General good practice
Good practice shared by members included:
- Moving towards Zero Trust in a network will help against zero-day attacks. While firms adapt to a Zero Trust approach, members suggested a practical short-term fix is to increase firms’ use of endpoint firewalls.
- Restricting and monitoring what data can leave servers, as well as restricting incoming data, is crucial in preventing and responding to zero-day attacks, in particular limiting out-bound access to the internet.
- Segregate internal environments to limit lateral movement. Members proposed micro segmentation as a way to reduce lateral movement too.
- Implement privileged access management, and limit privileges given to vendor products by default.
- Understanding network traffic flows (including DNS) to help set a baseline for normal activity and detect anomalies were said to be more effective than relying on defining abnormal activity
- User Behaviour Analytics solutions were noted by some members as being helpful, especially if they can be extended to server accounts.
- Tabletop exercises and incident response playbooks can be a practical way to help identify where vulnerabilities and key dependencies reside.
Zero-day vulnerabilities Log4Shell and Log4j
A zero-day vulnerability (also called a zero-day threat) exploit is an attack that takes advantage of a security vulnerability that doesn’t have a fix in place. It is referred to as a ’zero-day’ threat because once the software security weakness is eventually discovered, the software developer or organisation has zero days to come up with a solution. By definition, no patch exists for a zero-day vulnerability and systems have no defences in place, making attacks highly likely to succeed.
Log4Shell, a critical vulnerability that is relatively easy to exploit, involves a previously obscure nearly ubiquitous piece of software, Log4j. Log4j is an open-source logging library.
Almost all software has logging functionality for development, operational and security purposes and Log4j is a commonly used example of this.
The initial Apache Log4j vulnerability was identified on 9 December 2021 and was assigned a maximum CVSS (common vulnerability scoring system) score of 10. This led to massive reconnaissance and exploitation activity by threat actors using the bug to exploit vulnerabilities.
Organisations are faced with the challenge to identify where Log4j is being used in their organisations as it’s often bundled as part of other software. As a result of Log4j’s varied use there is no universal fix or software patch.
- Depending on how Log4j was incorporated in a system, the fix will require different approaches, from system update, as done for some Cisco routers, or updating to a new version of software or removing the vulnerable code manually.
- Members questioned due diligence methods and the extent to which a trusted partner or vendor’s software patches are essentially trusted as they cannot be independently verified other than their authenticity (code signing).
Section 2: Board engagement on cyber security
CCG members noted that awareness of cyber security has significantly increased over the last 5 to 10 years due to an increase in cyber-enabled crime, more detrimental breaches and stricter legislation. Cyber security has become a standing agenda at many board meetings and cyber metrics are becoming increasingly popular with board members as a way to evaluate cyber risk.
Members noted that one of the biggest challenges that many face is having multiple boards and committees, all with different levels of knowledge and understanding, as well as interest, in cyber security. The challenge of creating consistent understanding of cyber issues is complex.
Cyber risk appetite was discussed between members, primarily focusing on the measurement of risks and how this is portrayed to boards. Members noted there was a need for increased technical understanding within boards to minimise the need to translate technical into nontechnical language.
General good practice
- Strategies for increasing board engagement identified by members included translation of cyber risks into business risks, having frequent communication and regular reporting with the board and relaying consistent messages to boards when briefing on cyber risk. Boards can find cyber risk metrics which relate cyber security posture to cyber maturity to be effective management intelligence (MI), especially if split across key business areas.
- Another effective tool to promote board engagement is to run spear-phishing campaigns on board members and cyber tabletop exercises
- Some members shared that the use of the NCSC Board Toolkit has been useful in educating the board on cyber risk and has also been useful to gain consistent view of risk across organisation’s group structures. Members also noted that discussions around cyber with peers drive board engagement. Other effective tools for board engagement included presentations on current threat landscape via external CISOs sharing their experiences and challenges and focused briefings on effective cyber strategies.
- Boards currently have a large focus on cyber issues regarding supply chain. This is due to the high number of supply chain cyber incidents and the large amount of recent publicity these have created. Members stated that they were being increasingly challenged by Board members on this topic following events such as Solarwinds.
Section 3: Development, security, and operations (DevSecOps)
CCG members discussed secure software development principles and the level of maturity of DevSecOps in their organisations and sub-sectors.
DevSecOps is a trending practice in application security that involves introducing security earlier in the software development life cycle (SDLC). It also expands the collaboration between development and operations teams building on automation and platform design that integrates security as a shared responsibility throughout the entire SDLC.
The discussions covered the following themes:
- Governance and policy: Ensuring that the process and decision-making framework surrounding DevOps is explainable and robust. Creating transparent cybersecurity policies and procedures that are easy for developers and other team members to understand and implement in agile environments will also help.
- Automation and monitoring: Scaling security controls while aligning to the pace of DevOps processes by using automated security tools for code analysis, configuration management, patching and vulnerability management.
- Securing development environments: Providing engineers with environments that suit their needs and the need of the business while also promoting security practices and protecting the software supply chain. Access and secret management.
- Implementing DevSecOps and Culture: Developing the right culture to enable cross-functional teams and shared responsibility for information security. Looking at the key barriers to adoption and how members have managed them.
Some examples of DevSecOps practices include scanning repositories for security vulnerabilities, early threat modelling, security design reviews, static code and dynamic code reviews:
- Vulnerability scanning, in particular open source vulnerability scanning for software which may have been created without good security practice analyses open source components, libraries and dependencies in source code.
- In a DevSecOps process, security risk analysis can be used during the planning stage to identify which components are most secure or free from vulnerabilities that would put the project at risk. Then, vulnerability scans occur at multiple stages of the development and build processes to ensure no new vulnerabilities are introduced after the initial planning stage.
- Early threat modelling is the approach of evaluating and mitigating application security risk by analysing the business environment where the application will be deployed and setting out how potential weaknesses might be exploited. The aim to enable teams to quickly make data-driven and proactive decisions to minimise security risk exposure.
- There are many tools available eg visual dashboards and solutions that use data to automatically build threat models.
- Static code reviews allow developers to scan the source code for weak or insecure code, quantifying the vulnerability and prioritising remediation. The level of severity will prevent a component moving to the next stage of the development.
- Dynamic code review can be performed by automated applications, testing a variety of threats without the need to access the development source code.
Members spoke very positively about the benefits of DevOps for security, particularly the concepts of automation, self-service and software as code. Mature DevSecOps automation involves providing developers with self-service security tools that remediate identified vulnerabilities without the need to directly interact with security staff.
Examples discussed included:
- reduction of manual effort and consequently reduction of mistakes when spinning up consistently defined builds
- having security configuration applied immediately and consistently through coded pipelines, as this allows for the automation of the build, test, and deploy phases of the release process every time there is a code change, based on the release model defined by the developer
- the ability to pro-actively define security patterns for use in cloud deployments
The major challenge in implementing a DevSecOps culture is that the information security teams are often not integrated with the development and technology teams. In some cases development is done in data science units or outsourced to third parties.
Members noted that it can be a slow process to implement DevSecOps at an established firm. One solution is the use of agile sprints for projects, but it was noted challenges persist using this methodology, especially for larger projects. It was suggested that waterfall methodology can be more effective for more strategic projects.
General good practice
- A cultural shift to allow accountability for security to be shared across an organisation is crucial for DevSecOps to be used effectively. The empowerment of development teams to make security decisions and the integration of security expertise into development teams were noted as good strategies for moving towards DevSecOps.
- It was also noted that giving developers access to security tools to use themselves can be an effective strategy to both upskill developers, and to create faster security feedback loops.
- An ideal practice is for software code developers is to begin contributing to the security standards of code, rather than these being mandated by security teams. Secure coding standards are sets of rules and guidelines used by an organisation to reduce security vulnerabilities and errors during development.
We thank all members of the Cyber Coordination Groups that have contributed to the discussions and whose insights are reflected in this publication.