In a paper published last month,[i] the UK’s Financial Conduct Authority (“FCA”) set out various cybersecurity insights gleaned from the work of cyber coordination groups (“CCGs”) the regulator established in 2017. The publication of these insights—along with previous communications from the FCA and Bank of England—show that the cybersecurity practices of financial services firms operating in the UK are under the regulatory microscope as the cyber threat continues to grow. Indeed, in a November 2018 speech by Megan Butler (the FCA’s Executive Director of Supervision), she said: “On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation of tech and cyber incidents that are affecting UK financial services.”
This client alert summarizes the insights from the recent FCA paper alongside longer-term themes. It also provides our suggestions for how financial services firms should proactively equip themselves to respond to increased regulatory scrutiny—including for a full-blown enforcement investigation—of their systems and controls in this area.
The FCA Paper
To date, the FCA has…