Cyberattack is not the main cause of IT outages in financial services according to the Financial Conduct Authority (FCA), which identifies over-confidence in change management as one of the riskiest factors. Financial organisations have reported a 138 per cent increase in technology outages so far this year and almost one in five (18 per cent) of these incidents are cyber-related. However, many of the outages are linked to re-platforming and outsourcing failures, with 20 per cent of the incidents reported to the FCA over the past 12 months explicitly linked to weaknesses in change management. These are some of the findings from a report presented yesterday by the FCA, based on a survey of 296 firms during 2017 and 2018 to assess their technology and cyber capabilities.
'No end in sight for bank tech outages'
Megan Butler, executive director of supervision – investment, wholesale and specialists at the FCA, said at an event in London yesterday: “On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services.” She adds that one of the key concerns of the UK financial authorities is that many firms “seem overly confident about their ability to manage flagship IT change programmes and keep their systems up to date”.
She said: “There are 2 possible explanations for this. The first is that people are ignoring dangerous or negative information. Behavioural scientists might describe this as an ‘Ostrich bias’. The second is that leaders don’t appreciate the level of risk, or else they overestimate their abilities. An overconfidence bias. And this overconfidence bias does seem to be particularly characteristic in financial services.”
Under-reporting and high-risk staff
Butler noted, however, that although firms are reporting incidents “more robustly”, under-reporting is still a problem. While some technology and cyber-related incidents are to be expected, Butler said that the priority was for firms to resolve any IT problems quickly, ensure strong protection and defences, demonstrate effective management of risk from third parties, and respond to any emerging threats.
Butler also made the point that cyber is not just a technology risk; it's a human risk. All businesses employ humans, who are fallible and make mistakes, whether intentional or unintentional. Buttler added: “At the moment, a lot of firms – 90 per cent in fact – tell us that they operate a cyber awareness programme. But a theme of today’s report is that businesses are struggling to identify and manage high risk staff, including those who deal with critical and sensitive data.”
Read more in the report here: FCA report on Cyber and Technology Resilience
Like this item? Get our Weekly Update newsletter. Subscribe today