Bosses’ lack of cyber security knowledge putting clients at risk, FCA warns

The regulator’s multi-firm review has exposed serious shortcomings at the most senior level for many UK firms

CEO looking isolated and disappointed in a board room

Senior management and board-level executives' limited knowledge of cyber security threats are putting clients and their markets at risk of "serious harm".

That's according to a new Financial Conduct Authority review of asset management and financial firms, which found that businesses are also over-reliant on third-party providers for advice, which can potentially have an adverse effect on a firm's long-term development of in-house cyber capabilities.

Advertisement - Article continues below

"All the firms acknowledged the importance of strong cyber security. But there were different degrees of understanding of the many potential ways that weak cybersecurity could affect business activities and lead to harm to clients and the wider markets," the FCA said.

"This was particularly the case at the Board or Management Committee levels."

The FCA added that awareness is lower in firms that don't have a cyber-specific strategy, and where response plans take little account of non-technical consequences such as the impact to their reputation, clients and markets.

Reviewing a representative sample of 20 UK firms, the FCA said organisations' senior leadership must do better to understand the cyber risks tied with the business' activities, particularly where the management structure is centralised.

Firms should also take steps to create a culture that shifts cyber security from just an IT priority to an organisational-wide issue.

Advertisement
Advertisement - Article continues below

Moreover, the UK's financial regulator published a list of questions board-level staff and senior management can ask themselves as they better-familiarise themselves with the threats they face on a regular basis.

Advertisement - Article continues below

These queries include: 'Which aspects of our approach to conduct risk management could we apply to the way we manage our cyber risk. Does this offer value?' and 'How confident are we that our incident management plans would be effective in dealing with the aftermath of a cyber incident?'

The FCA's findings reflect the view of the UK's National Cyber Security Centre's (NCSC) chief executive Ciaran Martin, who said board-level members must do more to grasp the basics or risk their firms falling behind.

Martin, speaking at the Confederation of British Industry's (CBI's) fourth annual Cyber Security Conference in September, warned executives that cyber is now a mainstream business risk.

"People at board level need to understand the basics and I stress, basics of cyber attacks, cyber risks and cyber defences," Martin said in his keynote address.

"That's daunting, but it is doable. It's essential. And today is a significant moment in our efforts to equip the UK's major companies to do it."

Advertisement - Article continues below

The FCA's view also mirrors Department for Digital, Culture, Media and Sport (DCMS) findings released earlier this year that show UK businesses are failing the most basic cyber security measures. Just 50% of businesses surveyed, according to DCMS, are adhering to the very basics of cyber security, while the figure was even lower for charities.

It's a reality that can be partially explained by a widely-publicised cyber skills shortage, with a report published in October exposing a wide global IT skills shortage that currently stands at almost three million.

ITC Secure's director of cyber security Malcolm Taylor said the FCA's findings confirm what many in the industry have known for some time that the cyber threat is widely misunderstood and underestimated by some.

"I don't think this is limited to these sectors, either it's every sector and at every level," he said. "None of this is a criticism; the cyber threat is a new threat, it is in places deeply complex, and it is presented as almost existentially dangerous.

Advertisement - Article continues below

"I also think the cyber security industry has to take some responsibility for this state of affairs. Cyber security products and services have been sold by some through over-emphasising the fear and the complexity of the issue, but whilst that might work for a one-off sale it doesn't build the essential, trusted partnerships that we need, to more expertly and successfully repel attacks."

Advertisement
Advertisement

Recommended

Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020
Visit/security/internet-security/355228/mozilla-fixes-two-firefox-zero-days-being-actively-exploited
internet security

Mozilla fixes two Firefox zero-days being actively exploited

6 Apr 2020

Most Popular

Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020