The global spread of the WannaCry ransomware last month should be a wake-up call for businesses to review their cyber security infrastructure, as no sector or type of firm is immune from attacks. This is particularly relevant considering the implementation of the General Data Protection Regulation next May which requires firms to understand how they hold and process their data, with significant fines for any breaches. Failure to notify a major breach when required to do so will result in a fine up to the higher of €20 million or 4% of total global annual turnover.
It is important for firms to first get the basics right, such as malware protection and patch management. This applies to firms of all sizes and a risk management approach should be taken in order to understand the operational and strategic risks specific to their business. As attacks are designed to exploit human behaviour, all individuals are targets. Therefore mitigating cyber risks needs to be done at all levels in a firm with sufficient staff education. All of these risks also apply to any third party providers, for which firms are responsible. We will be providing guidance to firms in the coming weeks.
The FCA set out in its business plan an intention to focus on cyber risk over the next year. It is not unreasonable to expect that this may include how firms mitigate these risks as part of the authorisations process, particularly the ‘innovative’ firms in the regulatory sandbox. Although its due diligence of some of the business models that have emerged recently doesn’t demonstrate proper controls.
Aileen Lees
Senior Policy Adviser
June 2017