This article was written by Marcus Clayden.
The regulator recognises the pressure on firms looking to ensure remote working solutions enable them to meet their business continuity and operational resilience responsibilities whilst mitigating the risks posed by those solutions which cyber criminals are increasingly looking to exploit.
This is a live threat: the UK’s National Cyber Security Centre has picked up on more government-branded scams relating to coronavirus than anything else.
The clear FCA expectation is that firms do not in any way reduce their focus on information security controls or cyber risk defences – instead taking pro-active steps to mitigate the increased risks notwithstanding current operational challenges.
We would recommend that those pro-active steps include:
- staff training - reliance on human behaviour remains the most significant weakness in firms’ security controls and it is more important than ever to remind individuals of their personal responsibilities and the way in which new ways of working could expose them to increased or additional risks. The on-boarding process for new joiners should be reviewed with this in mind.
- risk assessments and mitigation strategies - internal information security teams will be examining the exposure presented by operational changes and implementing technical and organisational tools and processes to guard against them.
- third party checks - at the moment, firms may be relying on their outsourced providers to an increased extent – particularly those providing the cloud-based tools which enable regulated functions to be performed remotely. Outsourcing can enable firms to access the latest and most robust information security measures, but the specific protections deployed by current vendors and the way in which the firm exchanges information with and relies upon those providers should be checked to ensure they remain fit-for-purpose. Contract tools like audit rights and governance channels will of course assist with this.
- penetration testing - a firm which identifies weaknesses in its own security measures ahead of a cyber criminal is clearly on the front foot when looking to ensure its defences remain resilient.
Information security has never been higher on the board agenda. Firms that bear parallel responsibilities under financial services regulation and data protection legislation must continue to demonstrate that these compliance steps are being taken and accept accountability for mitigating these business-critical risks.
Please contact David Varney or Marcus Clayden in our Technology and Data team if you have any queries regarding your cyber-security obligations. You may also want to consider our checklist of actions to take in the event of a cyber-attack, which can be viewed here.