While cybersecurity attacks are detrimental to any organisation, financial institutions are one of the most vulnerable industries to be targeting in terms of the damage that can be caused.
A staggering 46% of businesses in the UK have reported a cyber-attack in the past 12 months alone, however, statistics show that there has been a 238% rise in global cyber-attacks on banking institutions since the beginning of the pandemic. As financial institutions rely on the trust and credibility they establish with clients, the possibility of a cyber-attack can threaten this premise on a daily basis. What’s more, as technology continues to develop and more and more clients adopt digital banking practices, the risks from cyber-attacks on banks becomes larger, in which organisations that facilitate monetary transactions and other financial movement, have a duty to play a critical role in fostering financial stability.
In light of this, the regulators are continually adapting their approach in order to identify what resilience measures organisations should be proactively putting in place.
How is technology changing the regulatory approach?
Advancements in technology have meant that financial institutions have been rapidly changing their business models and service offerings in order to meet new demand and keep up with the competition, and this has significantly heightened the risk of cyber-attacks over a short period of time. However, this is nothing new and has been on the regulators radar for a while.
Over the past four years, the regulatory toolbox has been evolved and still continues to do so. Such tools that the regulators can use in the UK to assess cyber resilience are the PRA cyber questionnaire (CQUEST) / The FCA Technology and Cyber Resilience Questionnaire, Dear Chairman Exercises, CBEST, STAR-FS and Skilled Person Reviews (Known as S166s).
The key takeaway here is that regulatory driven frameworks for assessing cyber preparedness, protection, detection and response capabilities have matured and proliferated across multiple regions around the globe. It is now widely known that the regulators oversight of IT and cybersecurity related risks will continue to intensify, where future engagements will be driven by issues raised, expectations around tolerance levels and guidance issued at the time. This approach will see them sitting down with organisations to further understand, address issues to drive an acceptable outcome.
Evolving Policy Creation
You should be under no illusion that the regulators are continuing to strengthen their supervisory approach and capabilities in regard to cyber related risks. With sharpened focus of understanding on improving and testing resilience to sophisticated cyber-attacks, governing boards should recognise their accountability for ensuring their organisations can respond safely to attacks.
The regulators thinking is evolving as their knowledge of various risk areas deepens through regulatory engagement and policy creation. Various regulatory publications, detail how inspections, assessments, engagements and thematic reviews have highlighted various risk areas where governance and risk management have and routinely falls short of expected standards. The analysis of these shortfalls indicates inadequate practices, where the lack of prioritisation, understanding of cyber and IT related risks and overall awareness exists.
These shortfalls, which are routinely referred to as the basics, have driven the regulators to continue to actively look for organisations, through the use of their regulatory tools - that could be the source or a major channel through which shocks could be transmitted across domestic and international markets. In terms of evolving policy creation, the level of resilience of organisations, including cyber, is a critical factor when regulators look at the resilience of the finance system as a whole. Regulators want to see organisations having the ability to anticipate, withstand, contain and recover from a cyber-attack. Gone are the days where it is acceptable to focus on prevention centric measures only.
What does this mean for cybersecurity in banking?
Organisations have every reason to be concerned about the ever- changing threat landscape and it is understandable to be constantly thinking ‘what will the regulators be doing and asking for next?’.
The rapidly increasing sophisticated cyber-attacks mean that organisations need to have an acceptance that complete security is unobtainable and need to think about and implementing resilience capabilities that will respond in the face of attacks. This means that traditional cybersecurity needs to move away from controls which only focus on resistance, but development and deployment of capabilities that will limit the impact and extent of attacks – with the organisation still being able to continue to function, at an agreed level, during an event and then being able to recover.
The regulators expect all organisations, regardless of size, to demonstrate resilience against cyber risk through sound governance – there must be processes for measuring changes to exposures. This also extends to organisations being able to show how they think outside of their own silo. The regulators will never endorse an actual framework, but they do expect organisations to use/align to a clear and comprehensive framework, which places a significant priority on the safety of critical/essential business functions.
Where can I find help and guidance on the continually evolving regulatory requirements?
Various frameworks such as NIST CSF and NCSC 10 steps scheme are being adopted by organisations and for good reason. Not only do they help demonstrate and facilitate meaningful conversations both internally and with the regulators; aligning to a framework also helps organisations to treat cybersecurity as a journey and not as a destination. As previously mentioned, complete security is unobtainable - It is about maintaining an appropriate and sustainable security/ risk posture.
In addition to following framework advice from your local government, whether you’re a small business or a large multi-national organisation, there are always steps and checks you should be completing on a regular basis; one of the most common of which is performing regular penetration testing. Cybersecurity for financial services doesn’t have a finish line, it is a constant process of improvement and a method of measuring how mature key parts of your testing framework are at any moment in time.
An LRQA Nettitude cybersecurity Maturity Assessment helps you to measure your maturity levels in particular areas of a framework, enabling you to better focus effort on improvement, rather than fighting to keep up with emerging cyber threats. Find out more about the Maturity Assessments on our website, or alternatively, please don’t hesitate to speak to a member of your local team.
Overall, as the cybersecurity landscape is constantly changing, so too is the approach that the regulators take and their requirements for financial organisations. We understand that keeping up with these requirements can be confusing, especially when you’re already struggling to find the time to stay on top of the latest cyber-threats. Remember, there are a range of advisory frameworks from the likes of the NCSC and NISC that can easily be accessed by organisations in order to support you with adopting the latest cyber best practices.
In addition, the LRQA Nettitude team are always on hand to advise, in which we never take the one size fits all approach. For more information, download your free copy of our Perception Report or find out more on how we approach cybersecurity for financial services.