Future of Finance Series, episode 8: a new approach to cyber risk in financial services
The Future of Finance Report describes the cyber risks in financial markets and makes recommendations with respect to enhancing protection against these threats. In its response, the Bank of England focuses on facilitating greater resilience in the sector though the adoption of cloud, AI and other new technologies. More broadly, UK regulators are advocating a new approach to cyber risk based on the assumption that disruptive incidents are likely to occur regardless of firm’s cyber security defences.
This is the eighth instalment in our Future of Finance Series, which looks at Huw van Steenis’ Future of Finance Report and the Bank’s response to it.
The risk of cyber crime and other cyber incidents
Criminals have followed financial services online. The FoF report notes that online fraud and account hacking have nearly replaced traditional theft of banknotes and gold and that over 90% of attacks in financial services target banks. But cyber crime is not limited to theft of funds. It also includes theft of IP or data and other types of attack which are aimed at disrupting activity.
As well as cyber crime, there are other forms of risk which arise from financial services being provided online and increasingly reliant on technology. Incidents such as data breaches or leakages, system outages, flash crashes and failure of third party providers could all disrupt the normal operation of a financial services business and negatively impact its customers.
Preventing crime and building resilience
Given this potential impact on customers, it is unsurprising that a key outcome sought by the FoF report is that the UK financial system “helps prevent cyber-crime” and is “resilient to cyber-risk”. To achieve this, it recommends that the Bank should conduct cyber resilience exercises to explore vulnerabilities, build a model for data recovery in the event of a cyber incident and support wider access to cyber insurance products.
It also describes how firms can prepare for cyber incidents and develop the ability to bounce back quickly from successful attacks, i.e. how they can build resilience.
“The financial system is a constant target for cyber-criminals. Regulators and the private sector need to maximise their efforts to keep up with this dynamic threat”.
The FoF report considers that the Bank has been a “thought leader on cyber-resilience” and together with the FCA has been building wider operational resilience in the financial sector. This work has focused on how financial businesses can keep serving customers in the event of any disruption to operations, including as a result of cyber incidents.
Looking at cyber risk in a new way
The Bank has previously indicated that in its supervisory approach it does not expect firms to be able to withstand the most extreme forms of disruption as that would be inefficient and make the cost of providing critical business services prohibitive. It also recognises that disruption will happen and it is unrealistic to expect that firms should have a zero tolerance for disruption.
Essentially UK regulators are recommending that firms look at cyber risk in a different way – rather than focusing on boosting cyber security and defences to meet increasing risk (the FoF report points out that financial services firms already spend three times the amount that non-financial organisations do on cyber security), firms should assume that whatever cyber security defences are put in place will either be breached or will fail at some point.
Focusing on business continuity
Regulators suggest that the focus of financial services firms at the point of an operational failure should be on keeping their core operations running by whatever means available – not simply restoring the failed systems but considering employing alternative systems or workarounds. A plan needs to be in place ahead of a potential disruption.
The priority is therefore continuity of service, even at a reduced level, for their customers. For example, continuing the availably of a banking app, perhaps with reduced functionality, during a disruption or prioritising the order in which payments are settled so that time-critical ones (such as house purchases) are processed ahead of others. See our Fintech Insight Building the UK financial sector’s operational resilience for more background on the FCA’s recommendations on how firms can build their broader resilience to operation failures.
Utilising cloud AI and other new technologies to build cyber resilience
In its response to the FoF recommendations, the Bank includes “facilitating greater resilience and adoption of the cloud and other new technologies” as one of its five priorities. It notes the important role the Bank has in demanding that “changes to core infrastructure are robust and resilient” but also recognises the “potential cyber and operational benefits cloud-based models can bring, particularly for small firms”.
In his speech responding to the FoF report, Mark Carney elaborates on how using cloud technology could “if properly managed”, and “adopted in a safe manner”, “improve the resilience of the overall system”.
To ensure that the benefits of the cloud are realised and the associate risks are well managed, the Bank has announced that the PRA will issue a statement in the autumn setting out its supervisory approach. See our Future of Finance Series episode 2: Embracing cloud technologies – what does this mean for financial services? for more discussion on balancing the benefits of cloud solutions against risk and more details on what is happening next in this space.
Spotlight on cyber incident response and recovery at an international level
The Financial Stability Board – a global financial supervisor – is also working to enhance the cyber resilience of financial institutions with a view to mitigating the implications of cyber incidents on financial stability.
In May this year it published a paper for the G20 on developing a toolkit of effective practices relating to a financial institution’s response to, and recovery from, a cyber incident. It also aims to help regulators and supervisors in supporting financial institutions before, during and after a cyber incident.
The EU is also considering proposals to impose stricter cyber resilience standards on financial services firms and introduce EU-wide cyber resilience testing.
Future of Finance Series
This is the final instalment of our Future of Finance Series in which our team of multi-disciplinary fintech lawyers has focused on eight key themes stemming from the FoF report and their potential impact on the development of the UK fintech landscape.