Coronavirus – FCA information security update – UK

• United Kingdom

• Coronavirus - Data and Cyber Security issues
• Financial services disputes and investigations
• Litigation and dispute management
• Financial services

13-05-2020

On 6 May 2020, the FCA published an update setting out its expectations regarding firms’ information security arrangements during the coronavirus outbreak.  

Background

In response to the exceptional circumstances created by coronavirus, many firms have altered their ways of working.  In particular, large numbers of employees are working from home, meaning firms are increasingly reliant on online systems to ensure business continuity.  This shift in working patterns has coincided with a change in the information security threat landscape, with cyber criminals increasingly exploiting the coronavirus outbreak for their own gain, particularly through the use of UK Government-branded scams. 

The FCA’s expectations

The FCA’s general approach to information security and operational resilience focuses on the impact of operational disruptions on the availability of important business services and the potential for such disruptions to cause harm to consumers and market integrity, threaten the viability of firms and, in extreme cases, cause instability in the financial system. 

The latest update does not depart from this approach.  While the FCA acknowledges that alternative ways of working may be necessary to ensure business continuity, it still expects firms to prioritise information security and ensure that adequate controls are in place to manage cyber threats and respond to major incidents.  The FCA is working closely with the industry to ensure that workarounds and business continuity actions implemented during the coronavirus outbreak do not adversely affect firms’ information security controls and their ability to provide services to customers.

The FCA expects firms to proactively manage the increased risk.  This includes:

• being vigilant to the potential increase in security breaches or cyber attacks
• ensuring appropriate governance and oversight arrangements are in place
• reviewing the impact of coronavirus on information and systems security defences, and taking action as needed
• ensuring that general notification requirements are followed, and significant incidents are reported

What should firms do?

In view of the current heightened information security risk, firms should look to implement enhanced monitoring to protect end points, information and firm-critical processes, including network connections and video-conferencing software.

Firms should check the National Cyber Security Centre website for advice on how to keep their organisations secure during the current outbreak.  Firms can also subscribe to up-to-date information on cyber threats by becoming a member of the Cyber Security Information Sharing Partnership.

Firms that outsource information security controls, whether via intra-group or external arrangements, should be reminded that the regulatory requirements relating to information security and operational resilience flow down to their outsourced service providers.  Firms and senior management, however, remain accountable for the adequacy of their outsourced systems and controls. 

Useful links:

FCA coronavirus information security update

FCA coronavirus (Covid-19) hub

Cyber incident notification requirements

National Cyber Security Centre

Cyber Security Information Sharing Partnership