Cyber crime update and reporting requirements
We last wrote on cyber crime in our article A brief adviser guide to cyber security.
Since then, we've seen a significant increase in cyber attacks on financial services firms.
In this update, we want to remind you of the FCA expectations on the reporting of an operational incident to the FCA.
Just what does the FCA expect?
Under principle 11 of the FCA’s principles for businesses, firms are required to deal with the FCA in an open and cooperative way, and disclose to the FCA anything relating to the firm of which the FCA would reasonably expect notice.
The FCA expects a firm to report to them of material operational incidents. An incident may be material if it:
- Results in significant loss of data
- Results in the unavailability or control of a firm’s IT systems
- Affects a large number of customers
- Results in unauthorized access to a firm’s information systems
The FCA say that this list is not exhaustive.
If a firm considers the incident to be material, they should report this:
- By contacting the firm’s named supervisor (if applicable)
- Using the FCA contact page (if the firm does not have a named supervisor)
- Informing the PRA (If the firm is joint authorised)
Firms must also consider if the incident needs to be reported to anybody else:
- If you believe the incident is criminal. Firms should contact Action Fraud via the website or by calling 0300 123 2040
- If the incident involves a data breach firm may be required to report this to the ICO
- For cyber incidents firms may be required to report to the National Cyber Security Centre
- Firms can help other firms by sharing details of the incident to the CiSP platform (The Cyber Security Information Sharing Partnership)
Cyber crime remains a real and growing risk to advisory firms and it is important firms are up to speed with FCA expectations when dealing with cyber crime incidents.
It's also worth reminding firms that there is a wealth of information to help firms with this. Paradigm’s cyber crime hub page contains further links and articles on patches, what are they and why are they so important, as well as details on multi-factor authentication.
What is essential in this environment is a culture where firms regularly update their protection software and provide training for all staff to keep abreast of company procedures and protocols.