UK Financial Firms Do A Poor Job Protecting Their IT Systems

UK-based financial services companies have been in the crosshairs of ever increasingly sophisticated hackers and the level of intrusions and outages isn't improving, despite the awareness about these attacks.

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

Those are the key findings in the latest report by the Financial Conduct Authority, which released survey data from close to 300 financial services companies it overseas in the UK. The government agency reported a 138% increase in technology outages during the past year and an 18% increase in cybersecurity incidents.  "On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services," Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the FCA said in a speech highlighting the results of the survey.  "The true test of the resilience of UK finance is not the absence of incidents. It’s how well incidents are managed." Butler noted that while firms are being more forthcoming in terms of reporting outages and cybersecurity incidents, she said the FCA “strongly” suspects a lot of under-reporting is still going on.

Of the firms surveyed by the FCA, most cited cyber resilience as a big concern with financial services companies pointing to people, third-party management and protecting core assets as the three big areas of weakness. What’s more, close to 80% of respondents are having a hard time getting a hold on what information third parties have access to. They are also struggling to identify and manage the staff that could put the business at risk from a cybersecurity standpoint. Training employees about how to access the network, answer email and surf the Web safely is also falling to the wayside.  The survey showed that close to all firms highlighted the risk due to working with third parties but only 66% of big firms and 59% of smaller ones understand the response and recovery plans of the third parties they work with. When it comes to including third parties in their cybersecurity plans that percentage declines to 22% of big financial firms and 19% of smaller ones.

While big financial services firms have automated systems in place to identify potential attacks and kick off the proper responses, smaller players are relying on manual processes or don’t have a process in place at all, the survey found. That is worrisome given the ramifications of cybersecurity attacks on financial firms can be huge.  “Cyberattacks are now sandwiched between ‘failure of climate-change mitigation’ and ‘large-scale, involuntary migration’ on the World Economic Forum’s 2018 risk landscape,” said Butler in her remarks. “A third of firms do not perform regular cyber assessments. Most know where their data is. But describe it as a challenge to maintain that picture. Nearly half of firms do not upgrade or retire old IT systems in time. Only 56% say they can measure the effectiveness of their information asset controls.”