UK fintech is slow runner in cyber defence race
The UK fintech industry has been found wanting in the war on the increasing number of cyberattacks.
In a speech by Megan Butler, executive director of supervision – investment, wholesale and specialists at the Financial Conduct Authority (FCA), delivered in London, she cited an awesome SF film to get the crowd pumped up.
You’re reading a website. You come across a full-page story about fintech.
“As we’re closing in on 2019, this seems a good point to mention that next year – according to the original Blade Runner film – the Earth will be dealing with synthetic humans.
“That prediction hasn’t aged particularly well. But it speaks to an important point. New technologies create threats that are extremely difficult to anticipate. And from a regulatory perspective, this is a fundamental challenge.”
The FCA has passed the empathy tests and notes that firms have reported “significantly” more outages and cyberattacks over the last year.
The regulator also revealed its survey on tech and cyber resilience, which nearly 300 firms completed between 2017 and 2018. In brief, it found nearly half of firms do not upgrade or retire old IT systems in time; and only 56% of firms say they can measure the effectiveness of their information asset controls.
Butler explains that the FCA sees “no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services”.
In the year to October, firms reported a 138% increase in technology outages to the FCA, with 18% of all the incidents reported as cyber-related.
Butler notes that “firms are reporting incidents more robustly” – but “we strongly suspect that under-reporting is still a problem”.
She goes on to say: “We are worried that a lot of firms seem overly confident about their ability to manage flagship IT change programmes and keep their systems up to date.
“Both large and smaller businesses described it as a strength in our questionnaire. Yet this is a level of confidence that simply isn’t supported by the data we’ve collected on the ground.”
The FCA’s data reveals that 20% of the incidents reported to it over the last 12 months were explicitly linked to weaknesses in change management. Making it the most frequent cause of outages and “implying a mismatch between corporate expectations and reality”.
It warns that this could be ignorance or overconfidence bias.
Butler’s speech was great as she states: “And this overconfidence bias does seem to be particularly characteristic in financial services.”
In terms of more stats, the regulator sees the tech landscape as characterised by massive outsource functionality in IT, with chief information officers (CIOs) commanding armies of semi-permanent contractors, or unregulated third parties. Yet only 66% of large firms, and 59% of smaller firms, told the FCA that they understand the response and recovery plans of their third parties.
On top of this, it says there is a “real problem at the moment around recruiting the right skills at the top level; to steer, set strategy and oversee this model”.
The solution, according to the FCA, is for a traditional “three lines of defence” model. Namely management control, compliance oversight functions, and independent assurance.
Make no mistake, Butler kept the message clear to the audience: “A major concern that a lot of firms still seem to be trying to get the basics right on cyber.”
The FCA says a third of firms do not perform regular cyber assessments – and smaller firms are “generally relying on old school, manual processes – or no processes at all”.
According to its report, the most mature sectors (in terms of the cyber capabilities of large firms) are, non-bank payments, retail banking, and wholesale banking. In that order. The least mature are, wholesale markets, retail investments, and retail lending. Among smaller firms, general insurance and protection are the most mature. Retail investments the least.
The essential point in Butler’s view is that irrespective of firm size or sector, “cyber is not just a technology risk; it is a human risk”.
To paraphrase Blade Runner, a new life awaits fintech when it comes to improving cyber defences. A chance to begin again in a golden land of opportunity and adventure!
