Cyber resilience: considerations for Boards

UK enforcement focus on operational resilience

The FCA’s and PRA’s focus on operational resilience has been intensified by the current market and geo-political climate. Of particular concern is the increasing threat and impact of cyber attacks, as highlighted by the FCA’s Strategy for 2022-2025. 

Save for a GBP16.4 million fine imposed on a bank in 2018, the FCA has not brought enforcement action relating to cyber resilience issues. Recently, however, the FCA and other organisations have repeatedly warned of the increased risk of cyber attacks, particularly since the Russian invasion of Ukraine and as a result of remote or hybrid working. Firms should therefore be aware of the higher risk of enforcement action if they suffer an attack and are found not to have taken adequate steps to review and enhance their cyber resilience following the FCA’s warnings about the increased risk.

Key cyber risks for firms

The CCGs bring together cyber security and technology risk leaders from industry in shared forums and connect them with multiple authorities responsible for cyber resilience across the financial sector, to discuss key topics in a secure environment. 

The 30 forums hosted in 2021 identified several key threats, including:

• malicious cyber actors targeting internet-facing systems, such as email servers and virtual private networks (VPNs) with newly disclosed vulnerabilities;
• a 300% increase in ransomware attacks since 2019, with the most common entry points being Remote Desktop Protocols (RDP) ports as well as unpatched software, hardware or VPNs; and
• denial of services attacks.

The top emerging trends identified by CCG members were:

• Supply chain compromise. Firms cannot only consider the security of their own systems, as cyber attacks can also exploit vulnerabilities within their supply chains. Understanding where third party software has wide-ranging access is critical to IT governance. Questionnaire-based due diligence may not identify risks of sophisticated attacks or compromised software.
  
  
• Zero-day vulnerabilities. Some attacks exploit security vulnerabilities that do not have a fix in place (known as ‘zero-day’ threats). The CCGs emphasised that these attacks are “highly likely to succeed”, given the lack of existing defences, but that moving towards Zero Trust in a network will help guard against zero-day attacks. While firms adapt to a Zero Trust approach, CCG members suggest a practical short-term fix of increasing the use of endpoint firewalls.

Board level engagement is essential 

Boards have an important role to play in setting the organisational cyber risk appetite and the FCA has, for some time, expected cyber risks to “move into the Board room”.  The CCGs discussed good practice relating to Board engagement on cyber security, including some of the points listed below. 

• Reporting and discussion. Boards need to receive regular reporting and frequent communication about cyber risks.
  • If not already done, boards should consider incorporating cyber security as a standing agenda item for meetings. Board members should scrutinise and challenge the consistency of any briefings on cyber risk, and ensure that they bottom-out any gaps in or concerns about the reporting.
  • Boards should also request regular cyber-related metrics and management information. This could be broken down to reflect operational effectiveness per business area where applicable.
    
    
• Training and understanding: CCG members noted the challenge of having multiple boards and committees within an organisation with different levels of knowledge, understanding and interest in cyber security.  Members of boards and relevant committees must be sufficiently informed in order to accurately translate cyber risks into business risks and there is a need for increased technical understanding within Boards. Firms should therefore arrange appropriate training and create suitable board documentation to ensure that board members: 
  • possess the necessary technical understanding of cyber security issues; and 
  • have the most up-to-date knowledge on cyber risks and effective cyber strategies in order to be able to evaluate it as an evolving risk.

  Various resources are available to assist in educating Boards, such as the NCSC Board Toolkit. Firms can also run tests through their technology teams or external providers, such as spear-phishing campaigns and cyber tabletop exercises, which can help board members to see how effective their responses to example scenarios would be.

• Culture and governance:
  • Boards should ensure that: (i) they are aware of, and appropriately challenge, potential cyber risks arising from the firm’s supply chain; and (ii) their firm takes steps to ensure that supply chain partners have an effective security posture and have appropriate cyber security safeguards in place to protect the firm.
  • Staff at all levels should be trained on good security practice and subject to relevant policies and procedures. Board engagement can help to create a ‘top down’ culture in which all employees take security seriously, in order to minimise the risk of cyber attacks.
  • CCG members consider it crucial to foster a culture that allows accountability for cyber security to be shared across an organisation.

Whilst enforcement actions against individuals under the Senior Managers Regime remain rare, recent FCA enforcement notices have been critical of boards and senior managers who fail to meaningfully engage with business risks. Active Board engagement on cyber security is therefore essential, both in terms of ensuring the adequacy of a firm’s controls and in ensuring that quick and decisive action is taken if a breach does occur, which is all the more critical in cases where a nation-state actor may be involved. Boards therefore have a key role to play.