We give a broad overview and insight into the discussions held at our quarterly Cyber Coordination Group meetings, with the aim of sharing the valuable insights found in these groups to the wider financial sector.
Cyber threats and their associated harms represent a complex and evolving challenge for the financial sector. Since 2017, the FCA has brought financial services firms together to collaborate in groups on cyber security and operational resilience.
These Cyber Coordination Groups (CCGs) have aimed to help firms share knowledge and discuss good practices in protecting themselves from cyber threats.
In 2020, we convened 157 firms in 7 CCGs, with each CCG representing a specific sub-sector. The 2020 CCG sub-sectors were: Insurance, Investment Management, Fund Management, Retail Banking and Payments Firms, Retail Investments and Lending, Brokers/Principal Trading Firms and Trading Venues/Benchmark Administration Firms.
The CCGs met quarterly, allowing firms to learn from and support their peers, as well as address sector-wide issues in a collaborative setting. The CCGs were joined by representatives from HM Treasury (The Treasury), the FCA, the Bank of England (BoE), the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA), to promote increased engagement between the financial sector and these authorities.
The FCA also supports the Trade Association Cyber Information Group (TACIG) which brings together leading Financial Sector Trade Association bodies, to maximise information sharing to the financial sector. The TACIG shares key information and insights with member associations and the firms that are part of them.
This is our third annual CCG insights publication. It draws on the knowledge shared from the past year’s CCG discussions, with the aim of sharing information and good practices to the wider financial sector. The insights cover broad cyber risks that span sector priorities, in addition to the key themes that were discussed in depth by some or all the CCG groups.
The key insights discussed in this publication are:
- Some of the major cyber threats and risks that CCG member firms have been faced with include: ransomware attacks, denial of service attacks, cloud security, insider threats and inadequate supply chain oversight and security.
- CCG firms have identified Zero Trust Security models and Artificial Intelligence as some of the emerging fields within cyber-security.
- The change to remote working has put additional strain on cyber-security teams and systems, requiring the need to re-evaluate existing cyber risks and controls. The changed ways of working have also exacerbated the challenges caused by ransomware, supply chain security and insider threats.
- There are several common good practices that can be used to mitigate supply chain risks. CCG members identified fourth-party supply chain and Cloud Service Provider (CSP) risks as unique challenges in this space and shared potential mitigation strategies. CCG members also identified shared assurance models as potentially promising improvements to the way firms assess supply chain risk.
This is not FCA guidance on rules under section 139A of the Financial Services and Markets Act 2000. It does not set out the FCA’s expectations for systems and controls that firms should have in place to comply with our regulatory requirements.
All discussions have been shared by one or more firms within the CCGs, and much of the discussion supports existing guidance from the NCSC.
Section 1: Cyber threats and emerging trends
The cyber threat landscape continues to evolve at pace, presenting a complex challenge for the financial sector. The coronavirus (Covid-19) pandemic has presented financial services firms with many information security challenges including an increase in targeted phishing campaigns, the invocation of extensive business continuity plans and significant changes to the way firms operate day to day.
These challenges, coupled with the continuously increasing capabilities of malicious actors, made 2020 an unprecedented year for information security. In this section, we summarise the main areas of risk identified by CCG members in 2020, and some emerging cyber security trends.
Ransomware is a malicious software that has 2 main modes of attack:
I. Encrypting core systems and demanding a ransom from the victim to access decryption keys to restore access to the encrypted data.
II. Exfiltrating data out of target systems, and blackmailing the target into paying a ransom to avoid publication of the data.
The usual motive for ransomware attacks is financial gain, but other reasons include covering digital ‘footsteps’ following other malicious activity.
CCG members noticed that the use of ransomware accelerated and became more malevolent in 2020. There has also been an increase in pressure for firms to pay ransoms due to the threats of publication of sensitive information.
CCG members discussed mitigation strategies that include:
- Maintaining and updating hardware, software, operating systems, Internet of Things (IoT) and peripheral/mobile device patching.
- Implementing backup and restore procedures.
- Implementing segmentation of networks to isolate critical areas and systems as much as possible.
Denial of service (DoS)
A DoS attack aims to shut down a machine or network, making it inaccessible to its intended user(s). This can be scaled by an attacker into a Distributed Denial of Service (DDoS) attack where there are attacks from multiple sources.
CCG members noted an increase in the scale, sophistication and frequency of DoS attacks in 2020. CCG members discussed mitigation techniques which include:
- Allowing and blocking specific IP addresses or regions.
- Limiting the amount of traffic available to specific networks or parts thereof.
- Working with internet service providers and DoS mitigation services to implement upstream filtering.
Cloud architectures and their use within the financial sectors has increased in recent years. Cloud Service Providers (CSPs) remain targets for both espionage and financially motivated cyber-attacks due to the amount of data stored in the cloud by many different users. In addition, successful attackers could potentially obtain access to computing resources, at someone else’s expense.
The 3 major cloud risk areas identified by CCG members in 2020 were:
- Misconfiguration - Misconfiguration of cloud services continues to be the main cause of information security incidents and occurs when cloud assets have been incorrectly configured, introducing security flaws.
- Lack of security awareness - When firms move to cloud services, often they are unaware of the potential threats they face and fail to take the necessary actions to safeguard their data, prioritising functionality over security. Having the correct skills to help plan, design and execute a cloud migration was found to be key to reducing the risk of mistakes.
- Account compromise - Compromising privileged or sensitive accounts can provide attackers with complete access to a victim’s cloud environment, potentially providing them with access to data and enabling them to cause significant disruption. This continues to be another area of focus from threat actors, with controls such as multi-factor authentication still not being used as widely as they should be.
Insider threat remains a large challenge for firms, especially across an ever-expanding security perimeter that includes suppliers, partner organisations and other third and fourth-parties. This includes both malicious and accidental insider threats.
CCG members identified that one of the greatest insider threats comes from employees who have privileged technical accesses (developers, system administrators and architects) and former employees who retain access privileges which could allow them to access systems remotely.
Supply chain security
Identifying and mitigating risks that exist in supply chain partners remains a significant challenge for firms. Remote working has increased the dependency that many financial sector firms have on some third-party providers and several high-profile breaches have illustrated the dangers of cyber-attacks that target suppliers and third-parties.
These breaches frequently have the aim of extending disruption to the consumers of the third-party services. We cover this in detail in Section 3.
Zero Trust security
Zero Trust is a security concept based on the belief that an organisation should not automatically trust anything inside or outside its perimeters. Instead it must verify anything and everything trying to connect to its systems and networks before granting access.
In traditional network security models, it is harder to gain access from outside the network, but everyone inside the network is trusted by default once authenticated. This can provide attackers with widespread access once perimeter defences have been breached.
CCG members discussed the potential of Zero Trust models as a remedy for remote working security challenges and took part in discussions with NCSC Zero Trust experts as to how effective models could be applied to their firms. Members noted that Zero Trust models have a promising future in addressing traditional network security challenges, and are worthy of attention when considering one’s own network security.
The attack surface of firms is often large and continues to grow and evolve rapidly. Analysing and improving cyber-security posture is no longer a human-scale problem.
CCG members identified Artificial intelligence (AI) as a prospective solution to this problem. AI-based tools have emerged to help information security teams analyse millions of events and identify many different types of threats.
These technologies can learn over time, drawing from experience to identify new types of attacks.
However, AI and machine learning techniques also have the potential to be used by malicious actors to increase the speed, sophistication and customisation of attacks. As such it was noted that AI may need to be seriously considered from both a defensive and offensive cyber-security stance.
Section 2: Covid-19 and remote working
Covid-19 has increased the challenges of cyber-security teams greatly, through a variety of different issues.
New ways of working
The global pandemic has required financial sector firms to quickly transition to a remote workforce with an increased focus on serving customers through digital channels. This rapid change required information security teams to perform multiple roles of supporting business continuity and protecting the firm and its customers while adapting their own operations to a ‘new normal’.
CCG members highlighted that this has put an even greater strain on their cyber security teams.
At the beginning of the pandemic response, many companies were forced to accept new risks, including reduced control standards to keep operations going. As employees and firms became accustomed to the changes, these residual risks were re-evaluated often resulting in tightened controls.
The surge in remote working due to Covid-19 has expanded the security perimeters of firms, with attackers seeking to exploit the vulnerabilities in employees’ home networks. CCG members expressed concern over the security of employees’ home devices including routers and IoT devices.
Some CCG members also noted the challenges in achieving the same level of monitoring capabilities they had on premises with most having to upgrade capabilities to achieve some level of effective monitoring. With additional layers such as virtual private networks (VPNs), multiple networks and various cloud applications and platforms such as Office 365 being used, effective monitoring became an even greater challenge.
CCG members discussed the increased monitoring of employees performing high-risk functions from home in order to reduce risks of harm.
These additional challenges have highlighted that traditional systems and controls are often put under strain when transitioned to remote working. CCG members noted the need re-evaluate their cyber threats given the changes to ways of working caused by the pandemic.
Ransomware and malicious actors
Malicious actors ranging from opportunistic attackers to nation-state actors have looked to exploit the pandemic for their benefit. Indicators of threat activity began to emerge almost at the same time as the growing societal awareness of the scope of the pandemic.
This highlights the speed at which attackers can move to take advantage of major news developments.
CCG members observed that the most evident example of this increase in opportunistic attacks was an increase in phishing and vishing attempts, many of which used pandemic-related lures to gain access to personal, financial and business data.
With the financial sector worldwide seeing an increase in ransomware attacks, many CCGs noted the importance of ensuring timely patching of systems, applications and control updates. Firms also discussed the need to counter the increased threat with greater monitoring capabilities and staff information security and cyber awareness training, including phishing control tests.
CCG members noted that the increased threat level from ransomware had led to board awareness of the problem and its potential brand impact. This has helped cyber risk become a higher priority across firms.
CCG members also recognised that in response to enabling homeworking, insider threats have become harder to monitor. This is true of both malicious and accidental insider threats. Procedures, policies and other (digital and physical) control measures may not fully cater for this change.
CCG members acknowledged that malicious or accidental breaches can happen when staff may be more vulnerable because of anxieties increasing due to Covid-19 while juggling home-schooling, home working or other stresses. This can be exacerbated by longer working hours resulting in fatigue and potentially poor decision making.
Finally, CCG members noted that we may never see a permanent solution to mitigating insider threat, due to its unpredictable nature. For the most part, firms mentioned monitoring of users and system activities as the main way to mitigate against insider threat, alongside an increase in awareness training and monitoring of staff wellbeing.
Section 3: Supply chain security
CCG members regularly identify that the risks associated with their supply chains and third-parties are a major cyber and operational resilience priority. In 2020, supply chain security was one of our focus topics for the CCG meetings.
CCG members identified several key issues associated with third-party risk management and discussed potential ways to mitigate against these risks. Throughout, members recognised that third-party risk management is a complex issue which encompasses third-parties of varying sizes, introducing complicated levels of risk that are hard to manage. This risk increases particularly as firms scale up and use additional third-party providers. CCG members agreed that a ‘one size fits all’ approach is not appropriate, and that these challenges require an adaptive approach.
General good practice
CCG members discussed a variety of good practices to handling third-party risk management and assurance. Common opinions across the CCG meetings included:
- Members agreed that some of the better strategies to carry out third-party risk due diligence include independent audits of third-party systems, assurance that a third-party has strong security certifications and concise security questionnaires.
- CCG members considered security questionnaires a somewhat flawed approach, but currently serve a purpose in providing a reasonable standard of risk oversight while being simple to implement. Security questionnaires are prone to over optimistic responses from third-party suppliers, which needs to be accounted for in the evaluation of risk. Members also agreed that, when questionnaires are used, a short question set that probes meaningful areas of risk is much more beneficial than long and complex questionnaires.
- Members acknowledged that responses to document requests or questionnaires do not always answer all risk management questions, and that instead fostering a good relationship between a third-party supplier’s security team and a firm’s risk management team is an excellent way to gain more bespoke, targeted risk assurance. This approach is not always possible, however, especially with large suppliers.
- Members agreed on the need to follow a standard approach if a third-party supplier is compromised, based on the degree and extent of impact. To best implement this, a robust risk management framework should be in place, coupled with a strong accountability chain within a firm. To help ensure an accountability chain is robust, education of third-party cyber risks across senior management teams is essential. Members highlighted that if business decisions are being made based on third-party risk due diligence, then a good understanding of third-party cyber risk must be in place at a senior level.
- In a similar vein, some members noted that often third-party risk management teams can be either too business-focused or too technology-focused, and that a balance needs to be struck to account for both areas.
- Members agreed that when a third-party service changes, fresh due diligence is required to re-evaluate the risks.
- CCG members also discussed how best to vary risk management approaches depending on the size and nature of the third-party supplier, agreeing that there are positives and negatives to dealing with both large and smaller providers. The consensus in the groups was that large suppliers cannot be deprioritised in relation to risk, and thorough due diligence is required for all suppliers regardless of reputation and size. They also noted that legacy and incumbent third-party suppliers tend to be less flexible and harder to manage, so greater attention is often required.
- Despite all good practice, members noted that risks will inevitably materialise into real consumer harm on some occasions, and that it is crucial this is understood across the business and that contingency is put in place to mitigate the harm caused.
There were in-depth discussions from CCG members around the additional cyber risks posed when suppliers outsource some of their own operations (fourth-parties, fifth-parties, etc). Members noted that fourth-parties often pose an even greater risk than a firm’s third-parties, due to them often being critical in the supply chain but there being very low visibility of these risks from a firm’s perspective.
CCG members noted that fully managing fourth-party risk is extremely challenging due to this lack of visibility. However, it should be an ambition to make fourth-party risk management as robust as third-party risk management.
Members noted it is common practice to question a third-party supplier’s own supply chain as part of the due diligence process. However, it was acknowledged that this is often not done to great enough detail to effectively mitigate against fourth-party risks.
Members agreed that due to the lack of visibility and contact with fourth-party providers, greater due diligence should be undertaken at the contractual stage with a third-party supplier. This could include gaining full oversight of a third-party’s supply chain before starting a relationship with them, with contractual obligations for the third-party to update the firm if this supply chain changes.
Cloud service providers
CCG members discussed cloud service providers (CSPs) as a very different category of third-party, with different risk mitigation approaches needed. CCG members noted that CSPs tend to offer more resilience than other third-party providers, but their risk should still not be deprioritised due to the high level of reliance upon CSP systems by firms.
A major way in which CSPs differ from traditional third-party suppliers is their engagement style. CSPs tend not to entertain bespoke risk assurance approaches, and traditional good practices such as issuing security questionnaires are relatively ineffective.
Members agreed that the best way to gain assurance from CSPs is to foster a strong relationship with them. However, this is unrealistic for all but the largest firms. As a result, there is some level of reliance upon reviewing CSPs’ shared due diligence and audit reports and comparing these to a firm’s current risk appetite.
Financial sector cloud contract addendums can be useful to provide extra assurance from CSPs for firms to fulfil financial sector regulatory obligations.
Another angle to CSP risk is that of suppliers who operate on Software as a Service (SaaS) or Platform as a Service (PaaS) infrastructures. These suppliers use CSP infrastructure to provide their service.
This often leads to a juxtaposition of risk. On one hand, the added resilience of CSP infrastructure can lead to more robust cyber posture. However, the lack of full system visibility, paired with security risks associated with poor cloud platform configuration, adds additional risk.
CCG members agreed that this trade-off needs to be considered when engaging with suppliers who operate via SaaS or PaaS.
CCG members also discussed the concentration risk associated with using CSPs to house multiple important systems, in addition to potentially having additional third-party suppliers using the same CSP. The consensus of the groups was that in general this concentration risk is acceptable due to the high level of resilience of CSPs, and the high number of different regional server centres that CSPs operate across.
Some members raised the prospect of using multiple CSPs to mitigate concentration risk. Multi-cloud approaches involve the simultaneous hosting of services across multiple CSPs, which can increase resilience if one CSP has outages.
The feasibility of this approach was questioned by some members due to the resource cost and differences in infrastructure between different CSPs. This was countered by some members, with the suggestions that container technology can be used to allow for easier implementation across multiple CSP infrastructures, or for rapid redeployment in the case of a certain CSP becoming compromised.
Third-party risk management products
Third-party risk management products can be used to evaluate the risk posed by certain third-party suppliers, and to gain risk oversight of a supply chain. The CCG members were generally disapproving of such products for several reasons.
Primarily, members felt that third-party risk management products provide little detail or context in their reports, resulting in potentially ill-advised advice. This is compounded by the fact that the cyber position of an organisation can change faster than the reporting of such a product, resulting in inaccurate reports.
Despite this, some CCG members saw benefit to using such products, acknowledging that they can be of some use at a very high level to gain oversight but should not be used for detailed analysis or final decisions.
In addition, CCG members noted that although the benefit of such products is questionable, the availability and visibility of their reports helps drive cyber improvements across industry.
Several aspects of third-party risk management and assurance have been affected by the Covid-19 pandemic and the subsequent change in working requirements. CCG members identified the following 3 changes:
- Third-party supplier auditing has changed in nature. On-site audits have not been possible which has added complications in gaining assurance. Nonetheless, some CCG members considered the replacement of on-site audits with virtual audits as an adequate replacement.
- Firms were forced to adapt quickly to new working environments, which often required the adoption of additional third-party suppliers such as video conferencing technology suppliers. CCG members acknowledged that due diligence was unlikely to have been fully completed due to the speed at which these changes were required, and reassessing due diligence in these circumstances is beneficial.
- Higher levels of remote working have led to an increase in cyber risk tolerance amongst CCG members who advised that a key aspect in managing this has been to increase education around remote working practices to staff and management.