Insights from the 2021 Cyber Coordination Groups

This publication is split into 3 sections: the first highlights the cyber risk landscape, as well as emerging cyber risks discussed at the CCGs in 2021. This is followed by 2 focus topics in which we summarise members’ insights on board engagement with cyber security and the state of DevSecOps. The focus topics are agreed prior to each forum by the industry and FCA co-chairs.

Since the CCG programme was launched in 2017, the CCGs have brought together cyber security and technology risk leaders from industry in shared forums and connected them with multiple authorities responsible for cyber resilience across the financial sector, to discuss key topics in a secure environment.

The member firms were joined by representatives from UK financial authorities and UK Government agencies (the Authorities) including the Treasury, the FCA, the Bank of England, the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

The CCG forums are held on a quarterly basis with the aim to help firms share knowledge, challenges and good practices for protecting the financial sector from cyber threats. They also promote engagement between the financial sector and the Authorities.

In 2021, we held 30 forums and brought together 152 firms across 7 CCGs, with each CCG representing a specific sub-sector. These sub-sectors were Insurance, Investment Management, Fund Management, Retail Banking and Payments Firms, Retail Investments and Lending, Brokers/Principal Trading Firms and Trading Venues/Benchmark Administration Firms.

The FCA also supports the Trade Association Cyber Information Group (TACIG) forum which brings together leading Financial Sector Trade Association bodies, to maximise information sharing relevant to the financial sector.

This is our fourth annual CCG insights publication. As with previous years, it draws on the knowledge shared from the past year’s CCG discussions, with the aim of sharing information and good practices to the wider financial sector. The insights cover broad cyber risks that span sector priorities as well as the key themes that were discussed in depth by some or all the CCGs.

The key insights discussed in this publication include:

1. Malicious cyber actors targeting internet-facing systems such as email servers and virtual private networks (VPNs) with newly disclosed vulnerabilities, ransomware attacks using Remote Desktop Protocols (RDP) and unpatched devices, denial of service attacks, and inadequate supply chain oversight leading to supply chain compromise. 
2. The coronavirus (Covid-19) pandemic continued to impact the sector in 2021, with the challenges posed by remote and hybrid ways of working.
3. Emerging trends in cyber security risks, include supply chain compromise and exploit of zero-day vulnerabilities.
4. The importance of board engagement in setting the organisational cyber risk appetite. This also extends to board support in measuring the effectiveness of cyber security postures, and board assurance that supply chain partners effectively protect the information shared with them. 
5. Several common good practices can be used for implementing security in the early stages of the software development cycle (also known as DevSecOps). This includes empowering rather than mandating security practices and giving access to security tools to the development teams. 

This publication is not FCA guidance on rules under section 139A of the Financial Services and Markets Act 2000. It does not set out FCA expectations for systems and controls that firms should have in place to comply with our regulatory requirements.

All insights have been shared by one or more firms within the CCGs, and much of the discussion supports existing guidance from the NCSC.

The cyber threat landscape continues to evolve rapidly. Global cyber threats such as abuse of zero-day vulnerabilities or using ransomware to launch attacks on firms and supply chains are posing significant challenges for the financial sector.

The pandemic continued to present financial services firms with many information security challenges including an increase in targeted phishing campaigns using spoofed emails and researched targets rather than generic phishing emails, invoking of extensive business continuity plans as well as significant changes to the ways firms operate day to day.

In this section, we summarise the main cyber risks identified by CCG members throughout 2021, as well as several emerging cyber security trends.

CCG members noted that awareness of cyber security has significantly increased over the last 5 to 10 years due to an increase in cyber-enabled crime, more detrimental breaches and stricter legislation. Cyber security has become a standing agenda at many board meetings and cyber metrics are becoming increasingly popular with board members as a way to evaluate cyber risk.

Members noted that one of the biggest challenges that many face is having multiple boards and committees, all with different levels of knowledge and understanding, as well as interest, in cyber security. The challenge of creating consistent understanding of cyber issues is complex.

Cyber risk appetite was discussed between members, primarily focusing on the measurement of risks and how this is portrayed to boards. Members noted there was a need for increased technical understanding within boards to minimise the need to translate technical into nontechnical language.

CCG members discussed secure software development principles and the level of maturity of DevSecOps in their organisations and sub-sectors. 

DevSecOps is a trending practice in application security that involves introducing security earlier in the software development life cycle (SDLC). It also expands the collaboration between development and operations teams building on automation and platform design that integrates security as a shared responsibility throughout the entire SDLC.

The discussions covered the following themes:

• Governance and policy: Ensuring that the process and decision-making framework surrounding DevOps is explainable and robust. Creating transparent cybersecurity policies and procedures that are easy for developers and other team members to understand and implement in agile environments will also help. 
• Automation and monitoring: Scaling security controls while aligning to the pace of DevOps processes by using automated security tools for code analysis, configuration management, patching and vulnerability management. 
• Securing development environments: Providing engineers with environments that suit their needs and the need of the business while also promoting security practices and protecting the software supply chain. Access and secret management.
• Implementing DevSecOps and Culture: Developing the right culture to enable cross-functional teams and shared responsibility for information security. Looking at the key barriers to adoption and how members have managed them.

Some examples of DevSecOps practices include scanning repositories for security vulnerabilities, early threat modelling, security design reviews, static code and dynamic code reviews:

• Vulnerability scanning, in particular open source vulnerability scanning for software which may have been created without good security practice analyses open source components, libraries and dependencies in source code. 
• In a DevSecOps process, security risk analysis can be used during the planning stage to identify which components are most secure or free from vulnerabilities that would put the project at risk. Then, vulnerability scans occur at multiple stages of the development and build processes to ensure no new vulnerabilities are introduced after the initial planning stage.  
• Early threat modelling is the approach of evaluating and mitigating application security risk by analysing the business environment where the application will be deployed and setting out how potential weaknesses might be exploited. The aim to enable teams to quickly make data-driven and proactive decisions to minimise security risk exposure. 
• There are many tools available eg visual dashboards and solutions that use data to automatically build threat models.  
• Static code reviews allow developers to scan the source code for weak or insecure code, quantifying the vulnerability and prioritising remediation. The level of severity will prevent a component moving to the next stage of the development.
• Dynamic code review can be performed by automated applications, testing a variety of threats without the need to access the development source code.

Members spoke very positively about the benefits of DevOps for security, particularly the concepts of automation, self-service and software as code. Mature DevSecOps automation involves providing developers with self-service security tools that remediate identified vulnerabilities without the need to directly interact with security staff.

Examples discussed included:

• reduction of manual effort and consequently reduction of mistakes when spinning up consistently defined builds
• having security configuration applied immediately and consistently through coded pipelines, as this allows for the automation of the build, test, and deploy phases of the release process every time there is a code change, based on the release model defined by the developer
• the ability to pro-actively define security patterns for use in cloud deployments

The major challenge in implementing a DevSecOps culture is that the information security teams are often not integrated with the development and technology teams. In some cases development is done in data science units or outsourced to third parties.

Members noted that it can be a slow process to implement DevSecOps at an established firm. One solution is the use of agile sprints for projects, but it was noted challenges persist using this methodology, especially for larger projects. It was suggested that waterfall methodology can be more effective for more strategic projects.

We thank all members of the Cyber Coordination Groups that have contributed to the discussions and whose insights are reflected in this publication.