IA Cyber Resilience: Board Engagement & Governance Resources
IA Cyber Resilience: Board Engagement & Governance Resources
Cyber Resilience
**Board Engagement & Governance Resources**
<small>**May 2021**
Introduction
This document includes a series of resources
members can refer to as they look to build
their cyber resilience
NCSC Board
Toolkit
Resources designed to
encourage essential cyber security discussions between the Board and their technical experts.**
NCSC Board Toolkit
The National Cyber Security Centre (NCSC) Board Toolkit offers a selection of resources and best practice guidance developed to raise awareness of cyber risks and encourage necessary discussions between the Board and technical experts. The Toolkit highlights the importance of cyber resilience and why it should be a priority on the Board agenda and breaks it down into the following sections:
Introduction to cyber security for board members
This section of the Toolkit defines cyber security, highlights the risks both firms and individual board members face and the importance of board level awareness and engagement.
Embedding cyber security into your structure and objectives
The NCSC encourages boards to integrate cyber security into organisations objectives, risk management and decision making. This section of the Toolkit provides guidance as to how Boards can better consider cyber resilience by effectively integrating cyber risk with business risk.
Growing cyber security expertise
The results of the Global Information Security Workforce study estimates that Europe will experience a shortfall of approximately 350,000 appropriately trained and experienced cyber security professionals by 2022.
The NCSC provides guidance on organisational planning and strategies to ensure firms attract, develop and retain the right kind of expertise.
Developing a positive cyber security culture
To raise awareness of cyber risk and encourage good practice it is important that Boards lead by example to create a healthy security culture. This section details how Boards can set the tone for good behaviour throughout the organisation by shaping and following effective security policies and processes.
Establishing your baseline and identifying what you care about most
In order to protect assets critical to your organisation’s objectives Boards must first understand key technical assets and any associated vulnerabilities. Boards should have awareness of technical assets and prioritise the ‘crown jewels’ that are key to critical business objectives in order to apply appropriate controls and inform incident response planning.
Understanding the cyber security threat
Threats vary across different organisations. It is important that investment management firms understand the nature of the threats their services and operations face. Firms are encouraged to share information and collaborate in order to better assess and act to address cyber risks.
Risk management for cyber security
Cyber risk should be managed as any other key business risk. The NCSC encourages Boards to incorporate cyber risks into existing risk registers and management processes. This will allow Boards to understand the potential impacts associated with cyber risks and help inform the decision making process.
Implementing effective cyber security measures
The NCSC encourages firms to first implement basic security measures in line with their 10 Steps to Cyber Security. In order to implement this successfully, Board members are encouraged to develop their cyber knowledge in order to understand defences, ask the right questions and appropriately challenge technical experts.
Collaborating with suppliers and partners
Third party risk should be a key concern for Boards as they are still accountable for cyber security failures of their suppliers. Boards should identify the full range of third party suppliers and ensure they are receiving appropriate assurance regarding security measures. Firms should also consider third party risk and impact with regards to incident response.
Firms should be prepared for ‘when’ a cyber attack happens, not ‘if’.
Planning your response to cyber incidents
All Boards should have an incident management plan. It is recommended that these plans are regularly tested and updated accordingly to ensure they are up to date and as effective as possible. The NCSC provides guidance as to how firms should go about developing such plans.
Appendices
Appendices provide firms with guidance on current relevant regulation and what to do in the event of a cyber incident.
Five questions for your board’s agenda
The set of recommended questions highlights the 5 key areas of cyber risk that boards should look at and how they should look to address them. The NCSC provides an overview of these risks and how they could impact your organisation. Possible solutions and the importance of these solutions are also detailed.
Five Questions for your Board’s Agenda:
1. How do we defend our organisation against phishing attacks?
2. How does our organisation control the use of privileged IT accounts?
3. How do we ensure that our software and devices are up to date?
4. How do we make sure our partners and suppliers protect the information we share with them?
5. What authentication methods are used to control access to systems and data?
NCSC Exercise
in a Box
An online tool which helps organisations
find out how resilient they are to cyber attacks
and practise their response in a safe environment
The NCSC Exercise in a Box, first published in April 2019, is an online tool developed to help firms test and practice their response to a cyber attack.
Exercises are based around the main cyber threats to organisations and includes details on set-up, planning delivery and post-exercise activity. It allows firms to conduct the exercises when they wish too, in a safe environment, as many times as they would like.
NCSC 10 Steps to Cyber Security
The NCSC provides guidance on how organisations can protect themselves in cyberspace with their 10 steps to cyber security.
NCSC 10 Steps to Cyber Security
The NCSC's 10 steps to cyber security, first published in 2012 and most recently updated in May 2021, offers guidance on the top 10 security measures all firms should look to put in place to build their cyber resilience. The NCSC emphasise that cyber resilience is a board level responsibility. Protecting key information assets is of critical and strategic importance to the sustainability and competitiveness of businesses and that firms need to be suitably prepared.
Key questions for CEOs and boards
Protection of key information assets is critical
- How confident are we that our company’s most important information is being properly managed and is safe from cyber threats?
- Are we clear that the Board are likely to be key targets?
- Do we have a full and accurate picture of:
- the impact on our company’s reputation, share price or existence if sensitive internal or customer information held by the company were to be lost or stolen?
- the impact on the business if our online services were disrupted for a short or sustained period?
Exploring who might compromise our information and why
- Do we receive regular intelligence from the Chief Information Officer/Head of Security on who may be targeting our company, their methods and their motivations?
- Do we encourage our technical staff to enter into information-sharing exchanges with other companies in our sector and/or across the economy in order to benchmark, learn from others and help identify emerging threats?
Pro-active management of the cyber risk at Board level is critical
The cyber security risk impacts share value, mergers, pricing, reputation, culture, staff, information, process control, brand, technology, and finance. Are we confident that:
- we have identified our key information assets and thoroughly assessed their vulnerability to an attack?
- responsibility for the cyber risk has been allocated appropriately? Is it on the risk register?
- we have a written information security policy in place, which is championed by us and supported through regular staff training?
- Are we confident the entire workforce understands/follows it?
10 steps to cyber security
-
Risk management
-
Engagement and training
-
Asset management
-
Architecture and configuration
-
Vulnerability management
-
Identity and access management
-
Data security
-
Logging and monitoring
-
Incident management
-
Supply chain security
Common Cyber Attacks
Firms may also wish to refer to the NCSC's white paper Common Cyber Attacks: Reducing The Impact intended to help organisations understand what a common cyber attack looks like and explains why all organisations should establish basic security controls and processes, to protect themselves from such attacks.
NCSC Guidance
Home working: preparing your organisation and staff
Home working: preparing your organisation and staff
The NCSC offers guidance on how to ensure your organisation is prepared for an increase in
home working, and advice on spotting coronavirus (COVID-19) scam emails.
The Covid-19 pandemic has resulted in an increase in organisations working from home, which in turn presents new cyber security challenges that need to be managed.
Preparing for home working
When setting up new accounts and accesses, the NCSC suggest strong passwords should be set for user accounts. Firms can refer to the NCSC guidance for system owners responsible for determining password policy. The NCSC also strongly recommend that firms implement two-factor authentication (2FA) if available.
Controlling access to corporate systems: Virtual Private Networks (VPNs) allow remote users to securely access their organisation's IT resources, such as email and file services. The NCSC offer guidance on the use of VPNs.
Helping staff to look after devices: They encourage staff to be vigilant when using devices outside the office to minimise any risk to the data held on these. For firms permitting people to use their own devices to work remotely, firms can refer to the NCSC's Bring Your Own Device (BYOD) guidance.
Removeable media: USB drives and cards can contain lots of sensitive information, are easily misplaced, and when inserted into your IT systems can introduce malware. The NSCS offer more guidance on the use of removeable media.
Spotting email scams: there has been a notable increase in Covid-19 related phishing emails. Firms can refer to the NCSC guidance on dealing with suspicious messages.
Top Tips For Staff
Staff might feel more exposed to cyber threats when working outside the office environment. The NCSC offer an e-learning package 'Top Tips For Staff' that an be completed online, or built into firms' own training platform.
NCSC Supplier Assurance Questions
Questions to ask suppliers to help firms gain confidence in their cyber security.
NCSC Supplier Assurance Questions
The NCSC released guidance in December 2020, offering a series of questions firms can ask their suppliers to gain confidence in their cyber security. This forms part of their collection of supply chain security guidance
Their recommended questions cover 10 topics areas:
1. Security governance
They suggest firms should understand who has responsibility for cyber security at the supplier organisation. Knowing who the risk owners are is a key part of gaining confidence in your supplier.
2. Managing and recovering from incidents
Given that data breaches are so common, preparing for such an event reducing the potential harm that a breach can cause is key.
3. Protecting their network
Firms should understand how, and be satisfied that, a supplier protects its network from external and internal harms.
4.Protecting data
Firms should understand how a supplier protects the data on their networks. Basic controls can go a long way to mitigating many of the harms that could befall data on a network.
5. Offshoring
It is important that firms know if any of their supplier's services to them are offshored and if so, how those services meet relevant information security controls.
6. Personal data
Firms and suppliers need to understand and be in compliance with data protection laws.
7. Personnel security
Firms should understand what personnel security controls are in place at their supplier.
8. Physical security
Firms should understand how their supplier physically protects its premises, data and assets.
9. Independent testing and assurance
Firms should understand how the supplier is gaining confidence that their security controls are working in practice.
10. Other contractual considerations
There are several important considerations firms may want to include in their contract with the supplier including:
Consideration of subcontractors
> Are there any specific risk mitigations or controls in your contract with the supplier which must be passed down to all subcontractors?
> Would you wish to be informed if the supplier changes subcontractors?
Cyber security certifications
>Does the supplier hold (or would you require them to hold) any cyber security certifications, such as Cyber Essentials, Cyber Essentials Plus or ISO27001?
Access to data
> Will the supplier (or any subcontractors employed by the supplier) connect, or have access to, your data, IT network or premises? If so, how will this be limited, controlled, and monitored?
> For any remote access to your data or IT network, (for example in cases of outsourced IT support), do you have a remote access support agreement in place?
> Do you log their remote access sessions on your systems, with logs captured to reflect the work done?
Exit strategies
> Contract exit – what provisions are in the contract for secure deletion or return of your data/assets at contract exit, including transfer of services, data or assets to another supplier?
Risk monitoring
> How will you monitor for changes in the information risk profile of the supplier over time? This can occur, for example, when the volume of data being processed by the supplier significantly increases, when different types of data are introduced (e.g. personal data or commercially sensitive data), or when new technology is introduced (e.g. mobile access platforms).
Right to audit
> Should you include a “right to audit” and/or regular reporting on security in your contract with the supplier? Should you require your supplier to build in a “right to audit” into contracts with their suppliers/subcontractors, where this affects the service to you?
DCMS & NCSC: Cyber Essentials
Cyber Essentials helps you to guard against the most common cyber threats and demonstrate your commitment to cyber security.
DCMS & NCSC: Cyber Essentials
Cyber Essentials is a simple but effective, Government backed scheme that
aims to help firms to protect their organisation, against a range of
the most common cyber attacks.
The Cyber Essentials guide shows the key technical controls that Boards should be aware of and all firms should look to have in place:
Secure your Internet connection with a firewall
Firms should protect their Internet connection with a firewall. This effectively creates a ‘buffer zone’ between your IT network and other, external networks. Within this buffer zone, incoming traffic can be analysed to find out whether or not it should be allowed onto your network.
Choose the most secure settings for your devices and software
Firms should always check the settings of new software and devices and where possible, make changes which raise their level of security. For example, by disabling or removing any unnecessary functions, accounts or services and using passwords.
Control who has access to your data and services
To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.
Protect yourself from viruses and other malware
Firms should take anti-malware measures such as using an 'allowed list' to prevent users installing and running applications that may contain malware.
Keep your devices and software up to date
It is important that the manufacturer still supports the device with regular security updates and updates are installed as soon as they are released. This is true for both Operating Systems and installed apps or software.
Patching: manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered. Applying these updates (a process known as patching) is one of the most important things firms can do to improve security.
DCMS Cyber Security Breaches Survey 2021
The Government's annual survey detailing the costs and impacts of cyber breaches and attacks on organisations.
Cyber Security Breaches Survey 2021
On 24 March 2021, DCMS released the results of their survey of UK businesses and charities to find out how they approach cyber security and gain insight into the cyber security issues faced by organisations. The research informs government policy on cyber security and how government works with industry to help ensure the UK's cyber resilience.
Some of the findings include:
-
Among those identifying breaches or attacks, their frequency is undiminished, and phishing remains the most common threat vector. However, impersonation scams and malware (including ransomware) were also common.
- £8,460 is the average annual cost for businesses that lost data or assets after breaches
- 39% of businesses identified cybersecurity breaches or attacks in the last 12 months (down from 2020). Larger businesses are more likely to identify breaches/attacks than smaller ones.
- Among the 39% in 2021, 27% were attacked at least once a week and 23% needed new measures to stop future attacks
NIST CYBER SECURITY FRAMEWORK
A framework to help organisations to better understand and improve their management of cybersecurity risk
NIST Cybersecurity Framework
The US National Institute of Standards and Technology (NIST) has created a voluntary Framework based on existing standards, guidelines, and practices for organisations to better manage and reduce cybersecurity risk. In addition, it was designed to foster risk and cybersecurity management communications amongst both internal and external organisational stakeholders.
Having an overview of this framework will help Board members understand the key areas of cyber risk management.
The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles.
Framework Core: provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. The Core guides organisations in managing and reducing their cybersecurity risks and is intended to be complementary to existing risk management processes.
Framework Implementation Tiers: help organisations to consider the appropriate level of rigour for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.
Framework Profiles: are an organisation’s unique alignment of their organisational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritise opportunities for improving cybersecurity at an organisation.
More information on their resources can be found here.
G-7 Fundamental Elements of Cyber Exercise Programmes
December 2020
G-7 Fundamental Elements of Cyber Exercise Programmes
The G-7 Fundamental Elements for Cyber Exercise Programmes are intended as non-binding, high-level building blocks that can serve as tools to guide the establishment of cyber exercise programmes with internal and external stakeholders. They may also serve as guide for establishing cyber exercise programmes across jurisdictions and sectors.
The financial sector's reliance on information technology services and their interdependencies to deliver most financial services, means that a disruption to those services can significantly impact organisations' ability to deliver critical services.
Accordingly, the G-7 developed a set of fundamental elements for effective cyber exercise programmes to help organisations better understand their dependencies as well as to help organisations test their ability to respond to and recover from incidents.
These exercises allow different possible cyber scenarios to be rehearsed by organisations on an individual or collective basis, using a range of methodologies, to help prepare them to effectively respond to and recover from cyber incidents.
Part A Fundamental elements of exercise programmes
Part A outlines the fundamental elements for developing a multi-year exercise programme that comprises multiple exercise types and formats that build upon each other to increase the organisation’s incident response and recovery posture and capabilities.
Effective exercise programme management typically includes the following elements:
- Stakeholder Engagement
- Multi-year Preparedness Priorities
- Improvement Planning
Part B Fundamental Elements of Exercises
Part B outlines the fundamental elements for building, conducting, and assessing individual exercises within a cyber exercise programme.
For effective exercises, the following elements are commonly advised:
- Exercise Design and Development
- Exercise Conduct
- Exercise Assessment
Types of exercises
Exercises can take many forms depending on the objectives of the specific exercise. However, exercises can generally be divided into two categories:
(1) Discussion-based exercises and
(2) Operations-based exercises.
Discussion-based Exercises
These types of exercises familiarise players with existing (or develop new) plans, policies, procedures, and agreements. Discussion-based exercises focus on strategic, policy-oriented issues, and facilitators or presenters lead the discussion, keeping participants moving towards meeting the exercise objectives.
Training and Awareness (Seminar/Workshop): An exercise that orients participants to or provides an overview of authorities, strategies, plans, policies, procedures, protocols, resources, concepts, and ideas.
Tabletop Exercise: An exercise where personnel meet in a classroom setting or in breakout groups to discuss their roles during an emergency and their responses to a particular emergency. A facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants on roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.
Game: An exercise that is a structured form of interactive play designed for individuals or teams in a competitive or non-competitive environment. It is an event players take part in and are guided by clear rules, data, and procedures for its execution. Games are designed to depict an actual or hypothetical situation to ensure that the participants make decisions and take actions that would be plausible.
Operations-based Exercises
These exercises validate plans, policies, procedures, and agreements; clarify roles and responsibilities; and identify resource gaps. Operations-based exercises include a real-time response such as initiating communications or mobilizing personnel and resources.
Functional Exercise: An exercise that allow personnel to validate their operational readiness for emergencies in a simulated operational environment. Functional exercises are designed to exercise the roles and responsibilities of specific team members, procedures, and assets involved in one or more functional aspects (e.g. communications, emergency notifications, IT equipment setup). Functional exercises vary in complexity and scope, from validating specific aspects of a plan to full-scale exercises that address all plan elements including timely recovery of systems and operations. Functional exercises allow staff to execute their roles and responsibilities as they would in an actual emergency, but in a simulated manner.
Communication and Logistics exercise: An exercise that ranges in scope from simple examinations of the available communication technology to the assembly of the crisis team in the crisis team meeting room. In this exercise, the responsibilities and telephone numbers contained in the plans as well as the procedures, escalation strategy, ability to reach the corresponding people, and rules for substitutes are exercised. The exercise also checks if the plans available are up to date, understandable, and manageable; if the procedures are practical; and if the technologies to be used (e.g. alarm system, emergency telephone, Internet, radio or satellite communication device) are effective, appropriate, and ready for operation.
Full-Scale Exercise (FSE): An exercise, based on a realistic situation that integrates all levels of the hierarchy, from management down to the individual employees, into the exercise. The time and expense required for preparation, execution, and assessment should not be underestimated. Despite this, full-scale exercises should be conducted if the organization places high requirements on business continuity management. Full-scale exercises should be performed regularly but with longer intervals between each business continuity exercise.
FSB Effective Practices for Cyber Incident Response and Recovery
October 2020
Cyber incidents pose a significant threat to the global financial system, particularly given its interconnected nature. In light of this, the FSB reminds firms that enhancing cyber incident response and recovery is essential to limit any related financial stability risks and that the shift to remote working in light of the COVID-19 pandemic have heightened the need for attention in this area.
The toolkit includes 49 practices for effective cyber incident response and recovery across seven components: (i) governance, (ii) planning and preparation, (iii) analysis, (iv) mitigation, (v) restoration and recovery, (vi) coordination and communication, and (vii) improvement.
1. Governance
Effective governance of CIRR involves defining the decision-making
framework with clear steps and measures of success, and allocates responsibilities and accountabilities to ensure that the right internal and external stakeholders are engaged when a cyber incident occurs. Governance also encapsulates the commitment to support CIRR activities through adequate sponsorship by senior management and to promote positive behaviours dealing with, and following, a cyber incident.
2. Planning and preparation
Planning and preparation occur before an incident and play a significant role in determining the effectiveness of CIRR activities. Organisations need to establish and maintain capabilities to respond to cyber incidents, and to recover and restore critical activities, systems and data affected by cyber incidents to normal operations. This includes establishing policies, plans, playbooks, communication strategies and scenario testing.
3. Analysis
Organisations should conduct analysis, including forensic analysis, and determine the severity, impact and root cause of cyber incidents to drive appropriate and effective CIRR activities.
4. Mitigation
Organisations should activate mitigation measures to prevent the aggravation of the situation and eradicate cyber incidents in a timely manner to alleviate their impact on business operations and services. This includes ensuring containment, eradication and business continuity measures are in place.
5. Restoration and recovery
Organisations should restore systems or assets affected by a cyber incident to safely recover business-as-usual operations and delivery of impacted services.
6. Coordination and communication
Across the life cycle of a cyber incident, organisations should coordinate with their trusted stakeholders to maintain good cyber situational awareness and enhance the cyber resilience of the ecosystem in which they operate. During a cyber incident, organisations should communicate on an agreed frequency, granularity and language appropriate to each stakeholder group, in order to engage and promote their CIRR activities.
Close coordination with relevant internal and external stakeholders, including authorities, throughout the CIRR life cycle enables timely communication of progress and outcomes of the CIRR activities. Collective actions can be taken by stakeholders throughout their supply chain or orchestrated in their ecosystem.
7. Improvement
Organisations should establish processes to improve CIRR activities and capabilities through lessons learnt from both proactive tools, such as CIRR exercises, tests and drills, and past cyber incidents. Lessons learnt can be used in the selection and implementation of additional controls and mitigation measures, including changes to CIRR policies, plans and playbooks.
Conclusion
Enhancing cyber resilience requires a multifaceted approach comprising activities to support the Protect, Detect, Respond and Recover functions. While organisations look to preventative capabilities to enhance their Protect and Detect functions, well-established response and recovery capabilities are essential to reduce the impact of a cyber incident and minimise the risk of contagion in the financial system.
FCA Implementing Technology Change Review
February 2021
FCA Implementing Technology Change review
In February 2021, the FCA published the findings from
their cross-Financial Services change management review,
which looked at how financial firms manage technology change,
the impact of change failures and the practices utilised within the industry
to help reduce the impact of incidents resulting from change
management.
This review follows an earlier FCA survey of firms between 2017 and 2018, looking at firms' technology and cyber resilience where they outlined that failed IT changes caused 20% of the operational incidents reported to the FCA, between October 2017 and September 2018.
According to the Implementing Technology Change report, technology plays an integral role in the delivery of financial services and the FCA remain concerned over the number of significant IT failures in the last 10 years and the effectiveness of technology change management in the FS sector. Their analysis of the incident data firms reported shows that change related incidents are consistently one of the top causes of failure and operational disruption.
Change success
The review highlights the following practices identified as contributing to change success:
- Firms with well-established governance arrangements have a higher change success rate
- Relying on high levels of legacy technology is linked to more failed and emergency changes
- Firms that allocated a higher proportion of their technology budget to change experienced fewer change-related incidents
- Frequent releases and agile delivery can help firms to reduce the likelihood and impact of change-related incidents
- Effective risk management is an important component of effective change management capabilities
Change Failure
Practices identified as contributing to change failure:
- Most firms do not have complete visibility of third-party changes
- Firms' change management processes are heavily reliant on manual reviews and actions
- Legacy technology impacts firms’ ability to implement new technologies and innovative approaches
- Major changes were twice as likely to result in an incident when compared with standard changes
Drivers of technology change
The financial industry has needed to change quickly, and in some cases dramatically, as customers demand real-time services, seamless experiences and increased customer journey integration. Regulators have also required substantial change from the industry.
35,000
Average number of changes implemented per firm over 2019
To better understand the drivers of change, firms were asked to allocate their change budgets across six broad buckets. The FCA found that firms dedicated the highest proportion of their change resources to ‘maintenance and upkeep’ and ‘satisfying regulatory and legal requirements’.
High risk projects and programmes
The FCA found that a number of consistent risk factors are prevalent in high risk change projects of all sizes. Firms across all sectors agreed that the most consistent risk factor is when ‘a project is dependent on other projects delivering their objectives’. These projects require the coordination of many moving parts, detailed awareness of the interconnectedness of systems and services, and changes needing to be completed in tandem to fulfil structured project plans.
The review contributes to discussions surrounding Operational Resilience, and is intended to influence firms' implementation of technology change in ways whichreduce the potential for operational disruption.
FCA Cyber Coordination Groups Insights
March 2020
FCA Cyber Coordination Groups Insights
In 2017, the FCA brought together over 175 firms from across financial services to collaborate in groups on cyber security and operational resilience. These Cyber Coordination Groups (CCGs) allow firms to share knowledge of their common experiences and discuss best practices in their approach to cyber security, in order to reduce potential harm to consumers and markets.
In April 2021, building on the insights gained, the FCA issued their third set of CCG insights. These cover 3 themes including, cyber threats and emerging trends, Covid-19 and remote working , and supply chain security.
Cyber risks
The CCGs contribute to, and maintain a ‘Cyber Risk Radar’. This tool was used to highlight numerous cyber risks that the sectors face while tracking and categorising the severity of the threat posed to firms. CCGs were asked to focus on the current threat landscape (evolving threats of interest or relevance) and emerging & future trends (new technology, developing solutions and user requirements, and other influencing factors challenging security response).
Current threat landscape
- Ransomware: CCG members noticed that the use of ransomware accelerated and became more malevolent in 2020. There has also been an increase in pressure for firms to pay ransoms due to the threats of publication of sensitive information..
- Denial of service (DoS): CCG members noted an increase in the scale, sophistication and frequency of DoS attacks in 2020.
-
Cloud security: The 3 major cloud risk areas identified by CCG members in 2020 were misconfiguration, lack of security awareness and account compromise.
-
Insider threat: Insider threat (both malicious and accidental) remains a large challenge for firms, especially across an ever-expanding security perimeter that includes suppliers, partner organisations and other third and fourth-parties.
- Supply chain security: identifying and mitigating risks that exist in supply chain partners remains a significant challenge for firms. Remote working has increased the dependency that many financial sector firms have on some third party providers and several high-profile breaches have illustrated the dangers of cyber-attacks that target suppliers and third-parties.
Emerging and future trends
- Zero Trust security models: as a potential remedy for remote working security challenges.
- Artificial intelligence solutions: could help information security teams analyse millions of events and identify many different types of threats.
Covid-19 and remote working
Covid-19 has increased the challenges of cyber-security teams greatly, through a variety of different issues.
New ways of working
- Remote workforce: the rapid change to remote working and serving customers through digital channels has put an even greater strain on their cyber security teams.
- New risks: the surge in remote working due to Covid-19 has expanded the security perimeters of firms, with attackers seeking to exploit the vulnerabilities in employees’ home networks. CCG members expressed concern over the security of employees’ home devices including routers and IoT devices.
Ransomware and malicious actors
-
Malicious actors ranging from opportunistic attackers to nation-state actors have looked to exploit the pandemic for their benefit. There was an increase in phishing and vishing attempts, many of which used pandemic-related lures to gain access to personal, financial and business data.
Supply chain security
CCG members regularly identify that the risks associated with their supply chains and third parties are a major cyber and operational resilience priority. Members recognised that third party risk management is a complex issue which encompasses third-parties of varying sizes, introducing complicated levels of risk that are hard to manage. This risk increases particularly as firms scale up and use additional third party providers.
General good practice
CCG members discussed a variety of good practices to handling third-party risk management and assurance. Common opinions across the CCG meetings included:
- Independent audits of third-party systems and assurance that a third-party has strong security certifications.
- Concise security questionnaires.
-
Ensuring a robust risk management framework is in place, coupled with a strong accountability chain within a firm.
-
Third party risk management teams can be either too business-focused or too technology-focused, and that a balance needs to be struck to account for both areas.
-
When a third party service changes, fresh due diligence is required to re-evaluate the risks.
Fourth parties
CCG members discussed the additional cyber risks posed when suppliers outsource some of their own operations (fourth parties, fifth parties, etc). These fourth parties are often critical in the supply chain but firms typically have very low visibility of these risks.
Cloud service providers (CSPs)
CCG members noted that CSPs tend to offer more resilience than other third party providers, although their risk should still not be deprioritised due to the high level of firm reliance upon CSP systems.
Shared assurance models
Members felt that shared risk assurance models for third-party suppliers would be of huge benefit as they would allow multiple firms to input into the risk assessment of a given supplier, sharing the resource demand in carrying out thorough due diligence.
Third party risk management products
Third party risk management products can be used to evaluate the risk posed by certain third-party suppliers, and to gain risk oversight of a supply chain. The CCG members were generally disapproving of such products, particularly as they often provide little detail in their reports and do not always reflect the cyber position of an organisation that can change faster than the reporting of such a product.
Covid-19 impact on third party risk management
- Change to auditing practices with on-site audits being replaced by virtual audits.
- Due diligence performed on third parties such as video conferencing technology suppliers that were onboarded at pace were unlikely to have been fully completed.
- Higher levels of remote working have led to an increase in cyber risk tolerance.
FCA CQUEST
The FCA's questionnaire to help to understand firms' cyber resilience capability
CQUEST
The FCA and PRA have created a self-assessment questionnaire to help both firms and the regulators to understand their cyber resilience capability at a high level.
CQUEST consists of multiple-choice questions covering aspects of cyber resilience, such as:
- Does the firm have a board-approved cyber security strategy?
- How does it identify and protect its critical assets?
- How does it detect and respond to an incident, recover the business and learn from the experience?
The answers provide a valuable snapshot of a firm’s cyber resilience capability, and highlight areas for further development. If you would like to complete the questionnaire please email: CQUEST@fca.org.uk.
Reporting a cyber incident
Under Principle 11 of the FCA Handbook, you must report material cyber incidents. An incident may be material if it:
- results in significant loss of data, or the availability or control of your IT systems
- affects a large number of customers
- results in unauthorised access to, or malicious software present on, your information and communication system
How to report a cyber incident
1. If you judge a cyber incident to be material, report it as follows:
- Fixed firms should contact their named FCA supervisors, and flexible firms should call 0300 500 0597 or email firm.queries@fca.org.uk.
- If your firm is dual-regulated, you should also contact the Prudential Regulation Authority.
- If the incident is criminal, you should contact Action Fraud or call them on 0300 123 2040.
- If the incident is a data breach, you may need to report it to the Information Commissioner's Office.
2. Refer to the NCSC guidance on reporting incidents.
3. Share on the CiSP platform.
CyBOK
Cyber Security Body of
Knowledge
CyBOK
The Cyber Security Body of Knowledge (CyBOK) project aims to codify cyber security knowledge. It is a unique resource, providing for an underpinning body of knowledge encompassing the breadth and depth of cyber security. The project also facilitates the development of learning and career pathways, curricula and professional training.
It aims to bridge the long-recognised skills gap within the cyber security sector, an issue which experts agree is compounded by a fragmented and incoherent foundational knowledge for this relatively immature field. The CyBOK project team have undertaken an extensive exercise involving a mapping and analysis of relevant texts as well as a range of community consultations via workshops, an online survey, interviews and position papers. These activities provided an in-depth understanding of the community’s collective view of the top-level Knowledge Areas (KAs) which should be in the scope of CyBOK. Following these consultations and various inputs, the 19 top level KAs were distilled and these informed the scope of CyBOK (please see accompanying image).
Version 1.0 of the CyBOK was published on 31 October 2019, and was formally launched in January 2020. The next phase of the project focuses on the dissemination and application of CyBOK.
Action Fraud Cyber Crime prevention
Action Fraud Cyber Crime prevention
Action Fraud is the UK’s national reporting centre for fraud and cyber crime run by the City of London Police working alongside the National Fraud Intelligence Bureau.
Action Fraud offer a series of resources to help individuals protect themselves from fraud and cyber crime.
Top tips to keep the cyber criminals out
Fraud and cyber crime are the most common criminal offences in the UK. Analysis of Action Fraud reports showed that 86% of frauds had a cyber element to them. Action Fraud offers a series of simple steps to follow to help prevent cyber crime:
- Create a separate password for your email
- Create a strong password using three random words
- Save passwords in your browser
- Turn on two-factor authentication
- Update your devices
- Turn on back-ups
Reporting fraud and cyber crime
Action Fraud offers a 24 hours online reporting tool which will guide users through simple questions to identify what has happened.
Action Fraud also have a reporting hotline 0300 123 2040 in the event of a live cyber attack.
In the event of a cyber attack, or a related cybersecurity incident, businesses may need to report it to the Information Commissioner's office (ICO). Under the General Data Protection Regulation (GDPR) rules, it is mandatory that firms also report data breaches to the ICO within 72 hours.
Cyber Griffin
City of London Police
Cyber Griffin
Cyber Griffin is an initiative founded by the City of London Police to support businesses and individuals in the Square Mile to protect themselves from cyber crime. They draw on the Police and Action Fraud databases to provide a range of services to assist businesses in the fight against cyber crime.
Services
They offer a range of services free of charge and are designed to be accessible to everyone, whether they have very little knowledge of cyber crime, or are individuals who hold IT security and risk management roles.
Baseline Briefings
Their 'Baseline Briefings' are intended to raise attendees’ baseline level of knowledge by providing advice to those with little or no knowledge of cyber security as well as an overview of intelligence trends.
Table Top Exercise
Their Table Top Exercise is available to help test people's response to both hacking and malware attacks, in addition to physical security threats. This exercise has been shaped and developed by Cyber Griffin specifically for the Square Mile.
Incident Response Training
In addition, they also offer Incident Response Training to help individuals understand how to respond to and manage incidents to safeguard against the loss of revenue, reputation, trust, and assets.
Cyber Defence Capability Assessment Tool
Cyber Defence Capability Assessment Tool, designed by the Ministry of Defence's Defence Science and Technology Laboratory, is available to assess an organisation's current cyber defences and controls and highlight any capability vulnerabilities.
controls and highlight any capability vulnerabilities.
IA Cyber
Resilience
**Events, Training and IA Learning
2021**
Events and training
2021 programme
The IA regularly hosts Cyber Training Sessions and Events to inform members and cascade key regulatory, government agency and
law enforcement messages. Our programme of cyber resilience, operational resilience and technology events and training includes:
Training
29th June: Operational Resilience - SMF24 training
Register here
21st September: Cyber Security for Boards, Senior Executives and Senior Information Risk Owners (SIROs)
Register here
Webinars
22nd April: Surfing the Unpredictable: Inside the Cyber-mind of Investment
Watch back here
See more on our dedicated Events and Training page.
Events
26th May: IA's Operational and Cyber Resilience Forum
In the morning of the 26th May, the IA held the third annual IA “Cyber Resilience for Investment Management Forum" which brought together influential and highly experienced cyber security experts and Chief Information Security Officers from member firms to discuss the latest cyber challenges within the industry.
IA Learning
IA Learning offers a range of cyber training materials to help all increase their awareness of cyber risks and learn how to better manage these. This includes modules on Email Safety, Keeping Safe Online, Manager Awareness, Managing Online Risks inlcuding phishing.
See more here
