A guide to staying on guard online
The NHS cyberattack earlier this year should reinforce the need for financial services regulators to improve safeguards. But what exactly have regulators been doing to help protect firms and their clients?
Anti-money laundering (AML) and counter terrorist financing (CTF)
As the UK is a major global hub for investment and economic activity, it is attractive to criminals and terrorist organisations seeking to hide proceeds of crime.
The introduction of the Fourth Money Laundering Directive replaced the old 2007 regulations and resulted in the Money Laundering Regulations 2017, which came into force on 26 June 2017.
The new regulations update the existing AML/CTF regime with the aim of improving safeguards and ultimately stopping funds being available to criminals and terrorists. The new measures include a greater emphasis on a risk-based approach to compliance with the new regulations, which are proportionate to the business.
For smaller firms, the impact on new processes is not likely to be onerous. But larger firms, if they have not already done so, may need to make more significant changes to accommodate the new regulations.
Later in 2017, the Financial Conduct Authority (FCA) will be given new powers to review the quality of AML/CTF supervision carried out by professional bodies such as the Solicitors Regulation Authority and the Institute of Chartered Accountants. These professional bodies will be subjected to a new fee to pay for this supervision.
The threat of a cyberattack can affect any firm connected to the web. The attack on the NHS showed exactly how much disruption and damage such an attack can cause. It does not matter what business you are in, you are at risk if you rely on cyber.
The risk is increasing; in recent months there have been a number of high-profile attacks on different types of organisations. These have been well-organised and there is suggestion they could have been state sponsored.
Financial services firms have had their fair share of cyberattacks. Those that have been well-publicised include HSBC, Lloyds and Tesco Bank. Considering the current industry push to develop new technologies, the potential effect of an attack will rise as firms’ business models place more reliance on cyber to do business.
The threat of cyber-enabled crime is ever-evolving. Nausicaa Delfas, executive director at the FCA, made a speech to the Financial Information Security Network where she said, ‘we have to expect the unexpected’. She indicated how, over the past 12 months, the FCA has witnessed changes to the threat, including the development of several innovative and dangerous criminal networks. This has included the re-emergence of ransomware (used in the NHS attack), which was a previously known strategy for criminals.
So how do financial services firms protect themselves?
Delfas said: ‘Many organisations believe they are getting the basics right, but in reality they are not.’ Yet, ‘getting the basics right could prevent 85% of breaches’. The FCA has published a new guide on ‘Good cyber security – the foundations’ for firms.
There are a number of components that make up a good cyber security strategy. Some of these you may already be aware of, such as strong passwords, firewalls, intrusion prevention systems, anti-malware applications, encrypting sensitive data, disaster recovery and keeping patches up to date.
However, even if you have all of these elements, your security can still fail due to the human element. User errors are one of the most common reasons for a cyberattack, so it is certainly worthwhile for all of us to learn a bit more about cyber security.