How to strengthen your defences against cyber threats

Graeme Stewart

3 October 2023

The recent HM Treasury’s consultation paper on a ban on cold calling for consumer financial services and products reminds us of the real risk of cybercrime to advisory firms.

Fraud is the largest crime type and now accounts for over 40% of all estimated crime in England and Wales. In 2022 there were 3.7 million estimated fraud offences, and 1 in 15 adults were a victim of fraud. The total cost to society of fraud against individuals in England and Wales was estimated to be at least £6.8 billion in 2019- 20. This includes the money lost by victims, the cost of supporting victims, and the costs of recovery, investigation, and prosecution of fraudsters.

In this context, firms need to be ever mindful of the threats posed. However, there’s a lot of help and support out there:

• The National Cyber Security Centre helps firms to build their own cyber action plan and offers hints, tips and guidance.
• The FCA has their Cyber Security Industry insights publications as a resource.
• There is a lot more information and support on cybercrime on our support hub

Firms can support themselves and their clients by looking at the Scamsmart support material that’s also freely available from the FCA.

However, advice firms should also be aware that if they’re unfortunate victims of cybercrime, they may need to report this to the FCA.

Reporting cybercrime to the FCA

Under Principle 11 of the FCA’s principles for business, firms are required to deal with the FCA in an open and cooperative way, and disclose anything relating to the firm of which the FCA would reasonable expect notice.

The FCA expects a firm to report material operational incident. An incident may be material if it:

• Results in significant loss of data
• Results in the unavailability or control of a firm’s IT systems
• Affects a large number of customers
• Results in unauthorised access to a firm’s information systems

If you consider the incident to be material, you should report this to the FCA by:

• contacting your named FCA supervisor, if you have one,
• using the channels on their contact page if you don’t,
• informing the Prudential Regulation Authority (PRA) if your firm is dual-regulated (by both the FCA and PRA), and
• following any specific rules or directions that apply

The FCA also states that firms should consider whether you may need to report the incident to anybody else:

• If you believe the incident is criminal, you should contact Action Fraud via its website or by calling 0300 123 2040.
• If the incident involves a data breach, you may need to report it to the Information Commissioner’s Office (ICO). Please note that the ICO require you do this within 72 hours of becoming aware of the breach, where feasible.
• For cyber incidents, you may need to report it to the National Cyber Security Centre.
• It also helps other firms if you can share details of the incident on the CiSP platform.

Fighting cybercrime must be a collaborative effort in order to ensure our industry retains its integrity and the confidence of our clients. Please get in touch if you’d like to know more.