Banking and asset management firms risking cyber attacks

Friday, December 14, 2018


Asset management and wholesale banking firms are at risk of cyber-attacks according to the Financial Conduct Authority (FCA).

The findings come from discovery work undertaken by the FCA following on from its Technology and Cyber Resilience questionnaire. The FCA collected data from 20 wholesale banking and asset management firms to gain better understanding of cybersecurity measures across the sector. While the sample of firms is small, the FCA believes the findings are relevant to these sectors as a whole.

The study looked at firms of varying sizes, structures and business models. In the asset management space, the FCA spoke to firms with holdings from below £15 billion to over £500 billion. Banks included large global organisations as well as those offering only a handful of specific business services.

The aim of the report was to assess:

  • how wholesale banking and asset management firms manage cyber security
  • how they identify and mitigate risk
  • their capability to respond to and recover from incidents and attacks.

These types of firms hold large amounts of data and therefore a cyber attack can pose a significant threat to clients and the markets in which they operate.

TSB customers hit by major breach

In April 2018, TSB was hit by a major data breach that allowed fraudsters to drain the bank accounts of several customers. The breach came after a series of tech meltdowns that left customers unable to make payments and allowed personal data from online banking to be visible to others. While TSB promised that no customer would be left out of pocket, the breach caused many to lose faith in the bank.

Senior staff not clear on cyber risks

The report shows that while boards and senior management teams are becoming more sensitive to cyber risks, they still don’t fully understand the impact an attack could have or the specific risks faced by their organisation.

The FCA has warned that firms need to do more to ensure these risks are understood across the entire organisation. Firms need to think of cybersecurity as a ‘global’ issue and not the sole responsibility of the IT function.

Firms with a better understanding of cybersecurity tend to mitigate risks by:

  • improving logical access control, only allowing those with a business need to have access to sensitive data
  • putting data classification measures in place to understand which data is sensitive and needs tighter controls
  • training and building awareness of potential risks across the business.

What needs to change?

The FCA stated that firms need to take proactive steps to ensure they have appropriate cybersecurity measures in place. Training is key to ensure every person from board level down understands the risks and how to mitigate them.

Some firms reported that they used third parties to upskill directors without having to hire a dedicated board member. While this is a good solution for some firms, there is a risk they will become over-reliant on third parties. This could affect the development of the firm’s own cybersecurity measures and abilities of the board to objectively assess their firm’s cyber and control environment. There is also a worry that firms won’t have timely access to third parties if a cyber attack occurs.

The FCA has suggested that board members may wish to ask themselves the following questions:

  • How can I assure myself that I have sufficient grasp and understanding of the cyber risks (including those from the use of third parties) that my firm faces and the impact tolerances of our business services so that I can provide effective challenge to the business on an ongoing basis?
  • What can we, as a board or management committee, do to make sure the firm’s second line of defence is able to provide effective challenge to the first line on cyber-related matters?
  • Which aspects of our approach to conduct risk management could we apply to the way we manage our cyber risk. Does this offer value?
  • How confident are we that our incident management plans would be effective in dealing with the aftermath of a cyber incident?
  • How can we best assure ourselves that we have appropriate future goals and timeframes for cyber risk?

Read the full report from the FCA on their website.