UK Information Commissioner’s Office

New FCA Web Page on Cyber Resilience

 

On May 18, 2017, the FCA published a new Web page on cyber resilience.

The FCA notes that cyber risks pose a threat to all financial services firms. Firms should be aware of the threat, able to defend themselves effectively, and respond proportionately to cyber events.

The FCA’s goal is to help firms become more resilient to cyberattacks while ensuring that consumers are protected and market integrity is upheld. To achieve this, firms of all sizes should:

  • Develop a “security culture” from the board down to every employee.
  • Be able to identify, prioritize and protect their information assets (that is, hardware, software and people).
  • Detect breaches.
  • Respond to and recover from incidents.
  • Constantly evolve to meet new threats.

Under Principle 11 of the FCA’s Principles for Businesses, firms must report material cyber incidents. A firm may consider an incident to be material if it:

  • Results in significant loss of data or the availability or control of the firm’s IT systems.
  • Impacts a large number of victims.
  • Results in unauthorized access to, or malicious software present on, the firm’s information and communication systems.

These requirements will be updated in line with any future regulations.

Where a firm considers an incident to be material for Principle 11 purposes, it should report this to the FCA and other relevant authorities, including the PRA if the firm is dual-regulated, and to the Information Commissioner’s Office (ICO) if the incident is a data breach.

The FCA states that cybersecurity is a shared responsibility. It takes a cooperative approach to address the threat, working with government and other regulators, nationally and internationally. The Web page contains a link to the National Cyber Security Centre (NCSC) website, together with links to relevant FCA publications.

Findings from ICO Visits to Credit Reference Agencies

On September 30, the UK Information Commissioner’s Office (ICO) published a review of the manner in which personal data is processed by credit reference agencies (CRAs).

Although the report focuses on CRAs, the ICO states that the issues highlighted are equally relevant to other organizations processing large amounts of personal data and to lenders who share information with CRAs.

The report identified certain areas that could be improved, including implementing a process to remind organizations supplying data to CRAs of their obligations under the Data Protection Act 1998, and a system to ensure that all CRAs’ clients are audited at least once a year.

The appendices to the report provide advice for firms relating to each of the topics covered by the report including training, staff awareness, data sharing, monitoring and reporting issues and information risk management.  Report.