The Financial Conduct Authority (FCA) has published a summary of insights from its cyber coordination groups (CCGs) on the current threat landscape and emerging and future trends.
The CCGs allow firms to share knowledge of their common experiences and discuss best practices in their approach to cyber security in order to reduce potential harm to consumers and markets.
It should be noted that the FCA has stated that this is not FCA guidance and does not set out expectations for systems and controls that firms should have in place to comply with the FCA regulatory requirements. However, it would be prudent for firms to consider the insights and as part of their cyber-risk strategy.
The FCA split the CCGs’ discussions into four themes:
Cyber Risks – This sets out the common cyber risks that CCG attendees discussed. Current threats included: risk in the supply chain, use of social engineering to prompt individuals to disclose or otherwise grant unauthorised access to information, use of ransomware, malicious insider threats, and ‘credit stuffing’ attacks. Emerging and future trends included: DevSecOps (integrating security considerations at stage of development process), cloud security risks, payment systems security.
Identity and Access Management – In appropriate or ineffective identity and access management (IDAM) policies, processes and controls can give attackers access to critical systems. Therefore, there is a need to:
- review and challenge existing password policies and test IDAM controls, for example all default passwords should be changed before deploying a system and password managers should be included in vulnerability and patching cycles;
- (where possible) use automated tools to continuously monitor administrative and important accounts internally and consider extending this to include cloud services and other third party service providers;
- retain adequate records of privileged and business services access;
- consider the importance of privileges. For example, it is preferable for the device accessing administrative interfaces or performing privileged tasks to be separate from the standard work desktop / laptop environment; 2-factor authentication and privileged access management procedures should be tested to ensure that they are operating effectively; and separate and segmented controls should be considered to enhance secure access;
- check that the alerts and playbooks are working effectively through ad-hoc testing.
Malicious emails – CCG members noted that the use of log monitoring systems can deliver significant insight into what ‘normal’ email traffic looks like. All emails (those allowed and blocked) should be included in monitoring to give better insight into the potential threat and how it is evolving. There is also an increasing need to maintain a secure email culture, e.g. by creating an internal mailbox / mechanism or button that makes it easy for users to report suspicious emails and provide basis cyber training to staff and measure its effectiveness. Emails should be treated as public information and it is important to account for this in risk assessments and when developing or adapting controls. CCG members agreed that some email addresses can be easily guessed or found online. Controls could include, for example, avoiding using email addresses as usernames, switching off the standard email response message for non-active / existent email addresses, and creating more complex email addresses for key decision makers and high-risk user groups.
Third parties and supply chain – Maintaining a real-time view of dependencies underpinning important business services is vital to understanding the associated cyber risks. Security standards which reflect the firm’s own risk appetite should be clearly defined and communicated to suppliers. Ideally, supplier’s employees should be vetted to the same standard as the firm using them, and in line with risk appetite.
and then 