Covid19 & financial regulation: The FCA reminds firms to prioritise cyber security

The FCA updated its coronavirus information page earlier today (6 May 2020) with a section entitled "Information security" to remind firms about the increased risks to cyber security given changes to working practices during lockdown.

The FCA has set out examples of the types of behaviour it expects firms to adopt in relation to cyber security at this time. Once again, I don't think any of these are groundbreaking, but now these steps have been published by the FCA, it behooves all FCA-regulated firms to ensure they can demonstrate their compliance with such practices:

1. be vigilant to the potential increase in security breaches or cyber attacks;
2. ensure that they continue to have appropriate governance and oversight arrangements;
3. review the impact of coronavirus on their information and systems security defences, and taking action as needed;
4. ensure that the general notification requirements are followed, and significant operational/cyber incidents are reported.

Those familiar with my pieces on previous Covid19 and FCA related topics will know that I see the FCA's position on such matters to be both constructive and pre-emptive; sending out a clear message to the industry of their expectations now, and thereby retaining the ability to investigate firms' practices and any failures to apply such standard once lockdown passes.

But, how are firms meant to apply vigilance of a potential increase in IT breaches? Is the FCA now expecting the management of firms it regulates to be experts in all aspects of IT, especially use of VPNs and remote handling of data? Whilst the context of this latest statement may be understandable, the expectations it lays out may seem open-ended.

I don't think the FCA is demanding zero IT issues. However, I do think the FCA expects firms to think long and hard about the effect of operating in this pandemic on all aspects of their business. And it expects Senior Managers to behave and operate their firms in line with SMCR at all times. In that respect at least, perhaps comfortingly, things have not really changed. After all, "plus ça change, plus c'est la même chose".