FCA: Banking and asset management firms lack knowledge to tackle cyber risks

The City watchdog has warned that top bosses in banking and asset management lack the knowledge to tackle cyber security issues effectively, and tend to dump responsibility on their IT departments.

In a multi-firm review, the Financial Conduct Authority (FCA) found that most board members of wholesale banking and asset management firms “have limited familiarity with the specific cyber risks their organisations face”.

“All the firms acknowledged the importance of strong cyber security. But there were different degrees of understanding of the many potential ways that weak cyber security could affect business activities and lead to harm to clients and the wider markets. This was particularly the case at the board or management committee levels.”

The FCA said awareness is lower in firms that do not have a cyber-specific strategy and where their incident response plans take little account of any impact to their reputation, clients and markets.

It called for firms to not see cyber security as the sole responsibility of their IT function “but as a part of a firm’s activities and business as a whole”.

The review was conducted on 20 of about 3,000 firms in the asset management and wholesale banking sectors that varied in size, structure and operating models. The asset management firms included those with assets ranging from below £15 billion to over £500 billion.

The FCA said the firms “generally lacked board members with strong familiarity or specific technical cyber-expertise”, with many citing their size and the limited availability of independent non-executive directors with knowledge of cyber security.

However, it did note that some companies have hired third-party experts to advise them on cyber issues, but said this could hamper companies developing their own internal cyber defences.

“External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber risks in a timely way. In some cases, it was also unclear whether firms would be able to rely on timely access to these third-party resources if there was a serious problem,” the FCA said.

The FCA also found that not all firms had considered the risk that they could be used to damage other companies or connected infrastructure.

Steve Holt, of Ernst & Young, said the watchdog’a findings should be a catalyst for firms to review their planning, systems, staff education and relationships with third parties, including cloud providers.

He added: “With over £8 trillion in asset under management in the UK, it’s not surprising the regulator is focusing on asset managers and will continue to monitor how firms respond.

“By embedding a security conscious culture, the firms could reduce both their conduct and cyber risks. More worryingly, incident response plans were found to be lacking in impact assessment on customers, reputational damage and the broader market impact.”