March 2020
.
In 2017, the FCA brought together over 175 firms from across financial services to collaborate in groups on cyber security and operational resilience. These Cyber Coordination Groups (CCGs) allow firms to share knowledge of their common experiences and discuss best practices in their approach to cyber security, in order to reduce potential harm to consumers and markets.
In April 2021, building on the insights gained, the FCA issued their third set of CCG insights. These cover 3 themes including, cyber threats and emerging trends, Covid-19 and remote working , and supply chain security.
The CCGs contribute to, and maintain a ‘Cyber Risk Radar’. This tool was used to highlight numerous cyber risks that the sectors face while tracking and categorising the severity of the threat posed to firms. CCGs were asked to focus on the current threat landscape (evolving threats of interest or relevance) and emerging & future trends (new technology, developing solutions and user requirements, and other influencing factors challenging security response).
Cloud security: The 3 major cloud risk areas identified by CCG members in 2020 were misconfiguration, lack of security awareness and account compromise.
Insider threat: Insider threat (both malicious and accidental) remains a large challenge for firms, especially across an ever-expanding security perimeter that includes suppliers, partner organisations and other third and fourth-parties.
Covid-19 has increased the challenges of cyber-security teams greatly, through a variety of different issues.
Malicious actors ranging from opportunistic attackers to nation-state actors have looked to exploit the pandemic for their benefit. There was an increase in phishing and vishing attempts, many of which used pandemic-related lures to gain access to personal, financial and business data.
Malicious or accidental breaches can happen when staff may be more vulnerable because of anxieties increasing due to Covid-19 while juggling home-schooling, home working or other stresses. This can be exacerbated by longer working hours resulting in fatigue and potentially poor decision making.
CCG members regularly identify that the risks associated with their supply chains and third parties are a major cyber and operational resilience priority. Members recognised that third party risk management is a complex issue which encompasses third-parties of varying sizes, introducing complicated levels of risk that are hard to manage. This risk increases particularly as firms scale up and use additional third party providers.
CCG members discussed a variety of good practices to handling third-party risk management and assurance. Common opinions across the CCG meetings included:
Ensuring a robust risk management framework is in place, coupled with a strong accountability chain within a firm.
Third party risk management teams can be either too business-focused or too technology-focused, and that a balance needs to be struck to account for both areas.
When a third party service changes, fresh due diligence is required to re-evaluate the risks.
CCG members discussed the additional cyber risks posed when suppliers outsource some of their own operations (fourth parties, fifth parties, etc). These fourth parties are often critical in the supply chain but firms typically have very low visibility of these risks.
CCG members noted that CSPs tend to offer more resilience than other third party providers, although their risk should still not be deprioritised due to the high level of firm reliance upon CSP systems.
Members felt that shared risk assurance models for third-party suppliers would be of huge benefit as they would allow multiple firms to input into the risk assessment of a given supplier, sharing the resource demand in carrying out thorough due diligence.
Third party risk management products can be used to evaluate the risk posed by certain third-party suppliers, and to gain risk oversight of a supply chain. The CCG members were generally disapproving of such products, particularly as they often provide little detail in their reports and do not always reflect the cyber position of an organisation that can change faster than the reporting of such a product.
