The FCA has published a summary of insights from its 2020 Cyber Co-ordination Groups (CCG) meetings, which aim to help firms share knowledge and discuss good practices in protecting themselves from cyber threats.
In 2020 the FCA convened 157 firms in 7 CCGs, with each CCG representing a specific subsector including insurance, retail banking and payments firms, and investment management.
2020: an unprecedented year for information security
Reading the summary it becomes clear that the challenges of pandemic-mandated remote working—coupled with the continuously increasing capabilities of malicious actors—made 2020 an unprecedented year for information security. The shift to homeworking has expanded the security perimeters of firms, as employees' home devices (such as routers) have become points of vulnerability. In addition, challenges associated with effective monitoring have increased.
Commensurate with these challenges, threats against firms have escalated; the use of ransomware accelerated and became more malevolent in 2020, and there was an increase in the scale, sophistication and frequency of Denial of Service (DoS) attacks. Remote working has increased the dependency that many financial sector firms have on some third-party providers, and insider threats (both malicious and accidental) have also become harder to monitor as employees juggle home schooling, home working and other stresses.
Meeting the challenge
The summary is not all doom and gloom, however. In addition to identifying practical steps firms can take to mitigate these cyber-security risks, CCG members highlighted a number of emerging trends which have a promising future in addressing traditional network security challenges.
In particular, Zero Trust security models were put forward as a remedy for remote working security challenges. Zero Trust is a security concept based on the belief that an organisation should not automatically trust anything inside or outside its perimeters, and instead must verify anything and everything trying to connect to its systems and networks before granting access.
Artificial intelligence-based tools were also flagged as a prospective solution to the fact that—as the attack surface of firms continues to grow—cyber-security is no longer a human-scale problem. Given, however, that AI and machine learning techniques also have the potential to be used by malicious actors, AI may need to be considered from both a defensive and offensive cyber-security stance.
Finally, CCG members discussed a variety of good practices to deploy when handling third-party risk management and assurance, while observing that these are likely to differ when managing the risks posed by cloud service providers.
Viewed as a whole, the work of the CCGs underscores the benefits of a collaborative approach in the face of the complex and evolving challenges posed by cyber-security.