Cybersecurity challenges and mitigation strategies for financial services firms
12 July 2021
The FCA has published insights (FCA Insights) from its 2020 Cyber Coordination Groups (CCGs). The CCGs are comprised of financial services firms which meet quarterly to discuss and share best practices on cybersecurity and operational resilience.
The FCA has emphasised that the FCA Insights do not constitute formal guidance and do not set out FCA expectations on systems and controls that firms should have in place to comply with their regulatory obligations. However, this is the first detailed statement that the FCA has published since the onset of Covid-19 last year about the main cyber threats that firms are experiencing and potential mitigants that they can deploy, many of which have evolved as a result of the transition to a remote workforce.
The FCA Insights identified the following areas as current cybersecurity threats.
Ransomware is a malicious software that has two main modes of attack: (i) encrypting core systems and demanding a ransom from the victim to access decryption keys to restore access to the encrypted data; and (ii) exfiltrating data out of target systems and blackmailing the target into paying a ransom to avoid publication of the data.
The FCA Insights note that the CCGs observed an acceleration in the use of ransomware during 2020, particularly opportunistic phishing and vishing attempts, many of which used pandemic-related lures to gain access to personal, financial and business data. The FCA explained that indicators of “threat activity” in this space “began to emerge almost at the same time as the growing societal awareness of the scope of the pandemic”, thereby evidencing “the speed at which attackers can move to take advantage of major news developments”.
The CCGs also noted that the acceleration in the use of ransomware during 2020 led to increased pressure for firms to pay ransoms due to the threats of publication of sensitive information. Although not a point that was highlighted in the FCA Insights, paying ransoms to cyber attackers in these circumstances can give rise to the risk of financial institutions committing financial sanctions or terrorist financing offences.
The most popular ways to mitigate the risks associated with ransomware that are identified in the FCA Insights include timely patching of systems, applications and control updates, increasing monitoring capabilities and enhanced information and cyber awareness testing for staff that includes phishing control tests.
Denial of Service attacks
Denial of Service (DoS) attacks attempt to shut down machines or networks by flooding them with traffic and causing them to crash. When conducted through multiple sources the attacks are known as Distributed Denial of Service (DDoS) attacks. The CCGs stated there had been an increase in the number, scale and sophistication of these attacks during 2020.
The CCGs discussed mitigants including blocking specific ID addresses or regions, limiting the amount of traffic available to certain networks and working with internet service providers and third-party DoS mitigation services to perform upstream filtering.
The use of Cloud service providers (CSPs) has become more widespread across the financial sectors in recent years. Given the amount of data CSPs hold on behalf of many firms they have also become a target for espionage and financially motivated cyber attacks. CSPs can establish and manage clouds or offer on-demand cloud computing components such as Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). While CSPs offer added resilience in terms of infrastructure, firms may have even less full system visibility than with traditional third parties and there is an additional risk of poor cloud platform configuration.
The CCGs identified three main risk areas in cloud security:
- Misconfiguration that introduces security flaws.
- Prioritising functionality over security when executing a cloud migration strategy.
- Compromised accounts within a firm, which have the effect of providing attackers with access across a firm's cloud environment.
These risks can be mitigated through financial sector cloud contract addendums, spreading out any vital systems of the firm across multiple CSPs or using container technology to facilitate rapid deployment of systems on new cloud platforms in case of cyber attacks.
Insider threat is a security threat arising from within the targeted organisation. The FCA Insights noted that insider threat remained "a large challenge for firms, especially across an ever-expanding security perimeter that includes suppliers, partner organisations and other third and fourth-parties."
The FCA Insights state that the change to remote working has exacerbated the challenges caused by insider threats. In particular, the CCGs indicated that insider threats have become difficult to monitor and accidental breaches are likely when staff may be more vulnerable (due to increased anxieties and juggling home-schooling and home working) whilst working from home.
Mitigants identified by the CCGs included monitoring of users and systems and awareness training. However, the CCGs acknowledged that a complete solution was unlikely given the unpredictable nature of insider threat.
Supply chain security
The FCA Insights describes identifying and mitigating supply chain security risks as “a significant challenge for firms”, especially given how remote working has increased many firms’ dependency on third party providers.
Feedback from the CCGs makes it clear that there is no “one size fits all” solution in this area, with firms adopting “adaptive” approaches that include a variety of different methods. One of the most popular methods identified by the CCGs was independent audits of third party systems to ensure that a third party has strong security certifications. Other methods came with a word of caution. For example, the CCGs described security questionnaires as a “somewhat flawed approach” even if they do provide “a reasonable standard of risk oversight while being simple to implement” and the CCGs also acknowledged that responses to risk management questionnaires often do not elicit answers to all the questions required. Shared assurance models, which allow multiple firms to input into the risk assessment of a supplier, were suggested by the CCGs as a way to share the resource demand in carrying out due diligence. However, it was recognised that these are hard to implement correctly and there are important privacy and legal liability issues to consider when developing shared assurance model frameworks. Instead, the CCGs reported that building good working relationships with suppliers’ security teams where possible is a way to gain more bespoke and targeted risk assurance.
The FCA acknowledged that risk management can get even more complicated when “fourth-parties” are involved, i.e. when suppliers outsource some of their own operations to third parties. While understanding the complexities in this area, the FCA explained that firms should strive to make fourth-party risk management as robust as third-party risk management.
The FCA Insights identified the following areas as emerging cybersecurity trends and threats.
Zero trust security
Zero Trust security was discussed by the CCGs as a potential remedy for remote working security challenges. Zero Trust security is an IT security model that requires identity verification for every person or device that tries to access a private network. In theory, this means there is no automatic trust of anything inside the security perimeter and thus reduces the risk of attackers gaining widespread access to the network once they have breached security perimeters. The CCGs took part in discussions with NCSC Zero Trust experts and agreed that Zero trust models have a “promising future in addressing traditional network security challenges” and could be a viable mitigant to the threat of ransomware alongside maintaining and updating hardware, software and operating systems and implementing backup and restore procedures.
The use of artificial intelligence
The CCGs identified Artificial intelligence (AI) as an emerging trend and a prospective solution to tackle sophisticated and widespread cyber attacks. Firms can harness AI tools and machine learning to detect cyber attackers earlier and analyse their modes of attack. On the flipside, the CCGs noted that AI could also be used by the malicious actors themselves and so firms must consider AI from both a defensive and offensive cybersecurity stance.
FCA tips and best practices for firms
1. Understand your business
Robin Jones, the FCA's security expert, stressed in a recent Inside FCA podcast that firms must have a strong understanding of their business and the services they provide to clients. This will enable them to set priorities for resilience in their cybersecurity systems and, when designing these systems, to ensure they are secure from the outset.
2. Train staff, including at senior level
The FCA has emphasised the importance of training staff on cybersecurity risks so that they have an awareness of how to identify phishing emails etc., which will help build operational resilience for firms. The CCGs found that education of third-party cyber risks at senior level is essential to ensure effective risk management and accountability within the supply chain.
3. Keep on top of guidance and the development of cybersecurity standards
Guidance and technical standards are regularly published by bodies, including the National Cyber Security Centre in the UK, the National Institute of Standards and Technology in the U.S. and the European Union Agency for Cybersecurity, ENISA, in the EU. Keeping up to date with such guidance and standards is key for regulated firms.
Cybersecurity is undoubtedly an area of focus for the FCA and is relevant to firms’ compliance with a range of regulatory obligations, including the FCA’s Principles for Businesses and requirements in the Systems Management Arrangements, Systems and Controls Sourcebook (known as “SYSC”) in the FCA Handbook. The FCA has also created a specialist team (Technology, Resilience and Cyber) to address cybersecurity within the broader context of operational resilience, further demonstrating their growing focus on and expertise in this area.