Author: Miranda Alexander-Webber

Source: Operational Risk & Regulation

Review of 30 financial institutions will lead to first new guidance in seven years

The UK Financial Services Authority’s (FSA) review of cyber and technology practices in 30 major financial institutions may highlight serious weaknesses, a senior consultant warns.

“I am worried that it’s going to show that banks and insurance companies aren’t as good as we the customers think they are at protecting our data and our money,” warns Steve Holt, practice leader for financial services information security in Europe, the Middle East, India and Africa at Ernst & Young.

The review, announced last week, will result in the publication of an updated Business Continuity Management Practice Guide (BCMPG) and discussion paper so firms in the sector can learn from the exercise. The current version of the guide dates from 2006.

“It will highlight potential gaps and will set the bar in a public way for all financial institutions to know what the FSA sees as best practice and what they should be striving to do,” says Holt.

The survey focuses on five themes in relation to cyber resilience including governance, critical systems, critical infrastructure, incident management and threat and vulnerability management.

“The aim was to identify high level technology and cyber resilience practices across the firms,” says a spokesperson for the FSA. “This includes trends and different approaches taken by different types of firms which the sector could learn from.”

The review is in response to the need to tackle the changes in cyber security over the past few years, according to Holt.

“There’s been so much going on in the financial services space, I think this is an area where the FSA recognises it needs to do more and hence why it is doing the review.”

The FSA, meanwhile, says supervisors have been engaged with the financial sector on ways of improving cyber resilience for well over two years. Its first collective desktop cyber exercise took place in September 2010, and two further exercises took place in 2011.

The current review of 30 financial institutions is part of its ongoing programme. The FSA declined to name the individual firms that have participated in the review.

“They are major organisations which were selected because they represent a cross-section of different types of firms from the financial sector,” its spokesperson says.

All participating organisations have already submitted their responses and the FSA is currently in the process of writing up its findings in summary reports, which will be sent to the relevant firms and discussed with them.

The FSA says that an updated version of the BCMPG is due to be published in the second quarter of this year.