In a recent speech at Bloomberg, Megan Butler, Executive Director of Supervision at the FCA, described the threat level facing financial firms as ‘remarkable’. These comments were made in light of a new a report revealing that the root cause of nearly a fifth of operational incidents reported to the FCA in the last 12 months were cyber-related.

While the scale of the cyber threat facing financial companies will come as little surprise, her organisation’s attitude towards firms that suffer breaches will have been more interesting to many industry observers. The FCA, Butler said, does not expect a culture of ‘zero failure’. Instead, firms must set their own impact tolerances for disruption and learn quickly from incidents and outages. “The true test of the resilience of UK finance is not the absence of incidents”, she commented, “it’s how well incidents are managed.”

Measuring the effectiveness of security controls

When it comes to cyber resilience, firms in the UK financial sector are among the most mature in the world. As the FCA’s Cyber and Technology Resilience report highlights, however, there are undoubtedly still improvements to be made. A large proportion of organisations surveyed reported as having effective cyber security controls in place. However, it is concerning that a third do not perform regular cyber assessments and struggle to measure the effectiveness of existing controls.

Having digested the FCA’s findings, and based upon my experience of helping organisations get the most from their cyber investments, it’s clear that many financial firms need increased help to understand the impact of cyber-attacks and the capability of people, technology and processes to defend against them. After all, how is it possible to have confidence in the controls designed to protect your business if you’re unsure about how effective they actually are?

A lot more also needs to be done to ensure that cyber security risks are better communicated and understood at the highest level. Too many boards still struggle to comprehend cyber risks and their potential impact. Perhaps if C-suite executives were given better quality information about the inherent risks of using old IT systems, for instance, they might be more open to making infrastructure investments.

Our increasing reliance on fintech services and products means that even small outages have the potential to cause severe disruption. From the top down, organisations need to be better prepared to manage and respond to a wide range of problem scenarios.

Custom assessments deliver better outcomes

Given the rate of digital transformation, the interconnected nature of the financial system, and a heavy industry-wide reliance on legacy technologies, the need for finance firms to perform more regular security assessments cannot be stressed highly enough.

For maximum benefit, however, these assessments need to be more attuned to the needs of individual financial sectors. They should be more focussed on delivering the tangible outputs required to help organisations better understand the potential impact of attacks and the true effectiveness of controls.

Ethical hacking assessments such a penetration testing are an important way for firms to identify hidden exposures across networks, systems and applications. For maximum effectiveness, testing programmes should also include more intelligence-led and scenario-based exercises to provide additional insight into the effectiveness of resources and help benchmark performance against specific attack vectors.

Security testing can be aligned to frameworks such as CBEST and guidance published by organisations such as NIST and the NCSC. Aligning testing to the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework, which describes the techniques utilised by adversaries to compromise networks, is also highly recommended. Example scenarios that could be measured include a cyber attacker gaining access to a network via a phishing campaign, insider attacks (both negligent and malicious) and data exfiltration.

Enhancing threat detection and incident response

Another key finding of the FCA’s report is that many firms struggle to identify and respond to cyber incidents. Only the largest firms report that they have automated systems in place to detect threats and assist with incident remediation – which is essential for combatting the rising tide of security incidents. Smaller firms are heavily reliant on manual processes, or lack processes altogether, which means they are more likely to miss or overlook breaches.

Scenario-based security assessments help organisations to measure the performance of their breach detection and incident response capabilities. Any intelligence gleaned can also be used to assist threat hunting, whereby security teams seek to identify new types of threats, as well as help automate incident response procedures. For example, instantly isolating endpoints infected with ransomware from a network.

Improving employee cyber awareness

In her speech, Butler also talked about how a positive security culture can help financial firms to build resilience. Using staff as ‘the eyes and ears’ of a company, she remarked, can help firms to react to threats before they become fully fledged incidents.

An added benefit of scenario-based testing is that it can help to inform the development of more effective cyber awareness programmes. By mirroring the approach of genuine adversaries, simulated exercises are highly useful for raising awareness of attacks such as Business Email Compromise (BEC) attempts. Assessments can also be customised to target high-risk staff, such as system administrators, senior managers and board members.

Getting the right support

With no let-up in the number of cyber incidents affecting UK financial services, it’s important that firms get the most from their security investments. Breaches are now an operational reality, and while the FCA and other regulators are more accepting of this, businesses that fail to validate the effectiveness of controls and processes may find themselves in hot water.

Firms need to make concerted efforts to continually assess the tools and services they are using to ensure they are both suitable for their needs and deliver suitable outcomes. Only by learning from experience and drawing upon that of others through increased collaboration with industry and cyber security partners will finance firms be better placed to address evolving security challenges.