The Financial Conduct Authority (FCA) is engaged in an almost dizzying list of activities to defend consumers, the financial services sector and indeed itself from the ever present threat of cybercrime.

Cyber Security Summit Keynote speaker and Chief Operating Officer of the Financial Conduct Authority Nausicaa Delfas has worked hard to drive a shift in the dial among UK companies in all industries, not just financial services, to have  a secure, top down driven structure so everyone is sensitised to the importance of Cyber Security and understanding cyber risk.

But the notorious Wannacry.ransomware attack demonstrated that cyber preparedness does not stop at prevention, to this end the FCA encourages firms to institute ‘clear and understandable procedures’ for attack or breach response and business recovery which are intelligence led and in line with the latest attack trends.

Basic IT Security

Ransomware attacks also demonstrate the fundamental imperative of basic IT security, from patch management to vulnerability mapping, and here Nausicaa stresses the need for firms to secure basic IT practices as a matter of principle before seeking to rely on modern technological solutions such as cyber-AI.

And for organisations which depend on third parties for their IT or IT security, the basics are even more important. In such cases the FCA advocates strong relationship management as paramount to successful and secure outsourcing.

Like many challenges facing organisations within the financial services sector, the threat of a cyber-attack is a shared one and as such, for the FCA it is critical that organisations engage in information sharing to build a common base of knowhow and best practice in the face of the ever-growing number and complexity of attacks.

Information sharing takes many forms within and outside of the UK’s financial services sector and for Nausicaa the sharing of information can also be divided into ex-ante and ex-post and there are important considerations to be had for both. The FCA urged organisations to share experiences on the things that really work, to question collectively what the threats actually are for particular sectors and whether they are seeing certain trends in certain sectors and not in others.

Reporting incidents

Under Principle 11 of the FCA Handbook, financial organisations must report a material cyber incident, including any significant loss of data, loss of availability or control of IT systems, impacts on large number of customers, or any unauthorised access to, or malicious software present on, information and communication systems.

In addition to the veritable daily, cyber-blitzkrieg faced by global finance, firms also face pressures to embrace innovative and disruptive technologies to keep a competitive edge.

The adoption of new technology is not without risk however. In full awareness of the risks posed by emerging technologies such as IoT, in October 2014 the FCA established Project Innovate, a safe haven for the testing of technology which seeks to benefit the industry.

Since its inception, Project Innovate has grown to encompass the full spectrum of technological disruption, with dedicated teams supporting both traditional and contemporary services. Despite the inherent vulnerabilities of IT, Nausicaa sees technology as a means for strength in cyber defence, with Artificial Intelligence and Machine Learning set to play a significant role in the future.

The FCA’s dynamic approach to Cyber Defence is echoed in its pioneering approach to technology in general, aiding the growth and security of not only the UK’s financial services sector but all those who depend on the services which it provides.

The FCA is committed to raising the profile of cyber security and supporting financial organisations in facing this challenge. Nausicaa Delfas is delivering a keynote address at the 16th November Cyber Security Summit at the London Business Design Centre.

Delfas is speaking alongside senior public and private sector figures, including Mark Sayers, Deputy Director of Cyber and Government Security at the Cabinet Office, and Chris Ulliott, Chief Information Security Officer at the Royal Bank of Scotland.

Author: David Roberts, Event Director at GovNet, organiser of the 16th November Cyber Security Summit and Expo, and co-located GDPR Conference.