In 2023, the financial sector was responsible for 12% or £278 billion of the UK's economic output. As the Institute of Directors reports, the financial sector is one of the most targeted for cyber attacks.
Given the sensitive data financial firms process, robust cyber security measures and reliable IT support are essential. With these measures implemented, firms can ensure compliance with regulatory standards and help safeguard their systems.
Financial firms need to be compliant with the General Data Protection Regulation (UK GDPR) and Data Protection Act (DPA), regulated by the Information Commissioner's Office (ICO), manages.
Additionally, the Financial Conduct Authority (FCA) expects regulated firms to use effective cyber security measures to protect their data. By 2025, financial firms operating within the EU must meet the Digital Operational Resilience Act (DORA) requirements.
Data breaches are expensive and could damage a firm's valuable reputation and client trust. By understanding what the regulators require, you can make better cyber resilience decisions for your firm.
Table of contents
- Regulatory compliance and cyber security
- Risk management: identifying and mitigating cyber threats
- Educating users: the first line of defence
- A cyber security framework: Cyber Essentials for the finance sector
- Business continuity and disaster recovery: preparing for worst-case scenarios
Regulatory compliance and cyber security
Regulators expect financial firms to protect and secure sensitive financial data from unauthorised access.
In practice, this means policies and thorough risk analysis, appropriate data management, security policies, and the implementation of physical and technical security measures.
Texaport provides specialist IT support for financial services, assisting clients in navigating the complexities of cyber security with ease.
The ICO says a firm must have 'appropriate security in place to prevent the personal data you hold being accidentally or deliberately compromised'. There's also a 14-point checklist which includes:
- Undertaking a risk analysis and assessing the appropriate level of security to be put in place.
- Use encryption and/or pseudonymisation where it's appropriate to do so.
- Measures to test the effectiveness of your security.
The FCA covers cyber security in its Principles for Business (Principle 3) and its Handbook's Systems and Controls sections (SYSC 3.1.1 and SYSC 3.2.6).
Additionally, the FCA encourages firms to use the Critical National Infrastructure Banking Supervision and Evaluation Testing (CBEST) framework to help develop robust cyber resilience. The Bank of England provides a detailed implementation guide.
If your firm does suffer a data breach, the fines can be substantial. A serious breach of GDPR can result in a fine of 4% of annual worldwide turnover or £17.5 million, whichever is higher.
Additionally, a data breach could damage a firm's reputation and people affected could sue for compensation.
Here's how your firm can strengthen its cyber resilience, starting with risk management.
Risk management: identifying and mitigating cyber threats
The best approach is proactive rather than reactive, starting with the two main cyber risk assessment strategies - threats and vulnerabilities.
Common vulnerabilities can be a 'forgotten' device or outdated software that a threat actor could exploit to access your firm's network and sensitive data.
Regulatory compliance software can help. Vanta's trust management platform covers Cyber Essentials, GDPR, ISO and PCI-DSS, among others.
Texaport's IT support for finance firms provides expert help in assessing your system for threats and remedying any vulnerabilities. Additionally, our penetration test services will determine how resilient your system is to cyber attacks.
A sometimes forgotten part of your security posture is your users.
Educating users: the first line of defence
Verizon's 2023 Data Breach Investigations Report says that 74% of data breach incidents included some form of human error. Two risk factors affecting financial firms the most are clicking on phishing links and poor password hygiene.
You can significantly reduce these with cyber security training for your users. At Texaport, our cyber security training allows users to learn at their own pace, including live tests and progress reports. It's all part of our IT support for financial services.
Help is also available from the National Cyber Security Centre (NCSC) through their Cyber Essentials accreditations, which regulators often regard as a minimum baseline for cyber security.
A cyber security framework: Cyber Essentials for the finance sector
Cyber Essentials (CE) is a government-backed scheme to help you protect your organisation from common cyber attacks. These include phishing, ransomware, unauthorised access and supply chain attacks.
Ransomware is one of the fastest growing threats, with 59% of firms in the financial sector surveyed by Bridewell having had a ransomware attack in the previous 12 months.
Another benefit is that a firm can show clients they've received the accreditation by putting the CE logo on their website.
There are two levels of accreditation – Cyber Essentials (self-assessment) and Cyber Essentials Plus (requires a third-party audit). Both accreditations are valid for 12 months.
The five technical controls your firm must have in place for CE are:
- Firewall/s.
- Secure configuration of networks and devices.
- User access controls.
- Malware protection.
- Patch management.
The NCSC has guidelines explaining the standards your financial firm will be required to meet.
Texaport provides Cyber Essentials for the finance sector using our bespoke approach, as we did for Forth Capital for their accreditation. We ensured their systems were compliant and assisted with their CE accreditation:
In addition to a strong cyber security posture, your firm must have a business continuity and disaster recovery plan.
Business continuity and disaster recovery: preparing for worst-case scenarios
If your firm is attacked, getting your IT systems up and running again as soon as possible is vital.
The best way to prepare is by auditing your software and data to see what you use and when. You can then decide which items are critical and develop an appropriate action plan.
You'll also need a plan to report a data breach to the ICO and FCA. The ICO's website explains what information the ICO expects from you and what to do. The FCA Handbook (SUP 15.3 General Notification Requirements) covers this topic.
Maintaining regular, secure data backups and running regular business continuity and disaster recovery tests is crucial.
With so much to consider and organise, having expert help can ease the pressure on your company's teams. Texaport provides IT support for finance companies, where we assist your firm with an ongoing IT support strategy as we did for Wardog Studios.
We assisted them with cyber security, a disaster recovery plan and ongoing IT support. In addition, we took the entire Wardog team through CE accreditation.
We can help your firm stay regulatory compliant and secure with thorough security audits, providing critical infrastructure for security monitoring, patch management and regular security assessments.
For our clients, Texaport can act as virtual Chief Information Officers/Chief Information Security Officers, providing expert help to build a robust long-term IT strategy.
Conclusion
To sum up, a resilient cyber security posture will help keep your firm compliant with regulations, secure your data, and reassure clients.
By combining risk management to identify and mitigate potential threats with the proven framework of the Cyber Essentials accreditation, you can help keep your systems and data secure.
Equally, having a disaster recovery and continuity plan means you'll be able to get back to work quickly if the worst happens.
As the statistics show, your firm is a tempting target for threat actors, meaning that robust IT support for finance firms is essential.
Ready to strengthen your security? Contact us today for an initial Cyber Essentials audit to help your financial firm create a strong security baseline.
