Keep up to date with the trending topics
from our industry experts

Top 5 priorities to ensure your cyber security meets FCA requirements

Monday, 15 July, 2024


Cyber Security, what the FCA expects from a regulated firm

Get guidance from the experts on what the FCA expects from regulated financial services firms to help build a robust security cyber programme.

For small to medium-sized financial services firms, it can feel quite overwhelming with the amount of information from the FCA and others, including the PRA and Bank of England, when it comes to cyber security. Small firms tend not to have significant in-house cyber security teams, yet they still must be able to ensure they fully comply with all the relevant regulations.

To help in deciphering these demands, Lanware has come up with five key priorities which we feel meet the bulk of the expectations of the FCA.

1. Standard Cyber Security Hygiene

The most effective way to reduce and prevent cyber risks is to ensure that all the basic security controls are in place and working consistently. This satisfies the FCA expectation that all firms must have a solid cyber security foundation. A good way of addressing this is to attain the National Cyber Security Centre (NCSC) Cyber Essentials accreditation. It covers the most common controls: Firewalls; Secure Configuration; Security Updates; User Access Controls; Malware Protection etc.

It is available in two levels, Basic and Plus. We would recommend that Plus is more appropriate because it comes with a greater degree of audit from an independent third-party assessor. Another useful resource which is often referred to by the FCA when it comes to getting the foundations right, is NCSC 10 steps to cyber security.

2. Operational Resilience

Operational resilience is the ability of firms to prevent, adapt and respond to, recover and learn from operational disruption, with a major focus on cyber security. Firms must be able to demonstrate that they have been through a “mapping exercise” for their important business services, including setting tolerance levels for failure scenarios. Necessary investments should be made to enable firms to operate consistently within their impact tolerance, and these should be tested.

For example, a fund manager may identify generating orders to meet client subscription and redemption requests as an important business service. The firm uses an order management system (OMS) to provide the service. Disruption to the OMS could affect both the firm’s customers and, potentially, the markets in which the firm operates.

The firm maps out this business service and its connecting components such as third-party providers and performs an impact assessment against various failure scenarios (e.g. a cyber attack), then sets tolerances thresholds (downtime/financial). It then performs a series of tests to simulate a cyber attack and ensure that it can recover in a known time frame and within its tolerance threshold. In the case of a cyber attack, this may well be the time taken to detect, recover and respond to an attack which destroyed all their data and required a full restore from backups.

3. Cyber Threat Intelligence

It is not enough for firms to sit back and wait for cyber threats to impact them, they must be proactive and be able to predict and prepare for potential attacks. It is therefore important to understand who is likely to target them, how they will be targeted, what the attack will look like and what the attackers will be targeting. This is known as a Threat Intelligence programme.

Typically, this will mean that a security function will not just be looking internally at its own security environment, but also externally by taking in threat intelligence feeds, as well as sources such as social media forums, and the dark web. An example of one such platform is Connect Inform Share Protect (CISP) where cyber security professionals in the UK collaborate on cyber threat information in a secure and confidential environment. It is managed by the NCSC and membership is free. This means that they can be prepared to respond to any potential attack, or in the event that they can detect that they have been breached.

4. Training and Awareness

The FCA expects cyber security should not just cover technology but be engrained in your people and processes too. Cyber criminals don’t need to test your technical defences when your people are a much softer target. Therefore, it is important to focus on the following areas:

  • Induction cyber awareness training and testing for all staff
  • Provide access to cyber security workshops and simulations to reinforce vigilance
  • Have dedicated communication channels for security event/incident reporting
  • Perform dummy phishing exercises
  • Get everyone involved in cyber security practices, not just the IT department

5. Leadership & The Board

The FCA hold board executives accountable for cyber security and is no longer just an IT issue, no matter the size of your business. IT leaders should work with their board to advise and guide them on cyber risks, focussing on the following:

  • Elevate cyber risk to a top-level priority. Implement a comprehensive risk management strategy to communicate and quantify cyber risks associated with business activities, client relations, and brand reputation.
  • Enhance executive cyber literacy. Conduct educational sessions for leaders to deepen their understanding of cyber threats. Utilise real-world examples and media reports of cyber incidents to underscore the relevance of these risks to their operations.
  • Provide executives with a streamlined dashboard that categorises cyber security metrics into satisfactory, needs improvement, and sub-par categories. This dashboard will translate cyber risks into familiar terms, such as financial impact or reputational harm.

In conclusion, Lanware’s five key priorities offer a simple guide to ensure that small to medium-sized financial firms not only comply with FCA regulations but also fortify their defences against the ever-evolving cyber threats.

Need further guidance?

Speak with a Lanware cyber security expert.

Our services

Our 4 pillars for a complete choice of managed IT services - all tailored to the needs of financial services firms in London and the UK.

Finance Forward 365 - Microsoft 365 cloud services supported by experts

Finance Forward 365

Microsoft modern workplace & cloud technology for digital transformation.

Compliant Teams -  Microsoft Teams phone system with call recording and archiving

Compliant Teams

Increased productivity & collaboration with call recording whilst reducing costs.
Cyber security solutions for financial services

Cyber Security

Keep your data secured against rapidly changing threats within Financial Services.

Responsive IT managed services for financial services

Power BI

Business Intelligence transformation and support tailored for Financial Services.


Join the community for financial services businesses

  • Stay updated with industry trends and peers
  • Get invites to webinars and exclusive events
  • Gain access to useful tools and templates