Technology outages at UK financial services firms have more than doubled over the past year, according to data compiled by the Financial Conduct Authority.
Releasing the results from a recent survey of almost 300 supervised firms, the watchdog reports a 138% increase in technology outages, alongside an 18% increase in cyber incidents.
Presenting the results, Megan Butler, executive director of supervision, FCA, says: "On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are effecting UK financial services."
She says the regulator does not expect ‘zero-failure’: "The true test of the resilience of UK finance is not the absence of incidents. It’s how well incidents are managed."
Nonetheless, with debit card transactions outstripping cash payments for the first time, the watchdog is "deeply concerned" that the number of technology incidents reported has increased, with many outages linked to re-platforming and outsourcing failures.
"Everyone knows that firms need to make regular changes - of varying size and complexity - to technology estates, and that from time to time things will go wrong," she says. "But we are worried that a lot of firms seem overly confident about their ability to manage flagship IT change programmes and keep their systems up to date."
Butler points out that a lot of the time it isn’t technology at fault when things go wrong. It’s classic systems and control failures.
In October, the FCA slapped the banking arm of UK supermarket chain Tesco with a £16.4 million fine for its failure to prevent a cyber attack that affected thousands of customers in 2016.
Butler says that the bank had specific warning of the threat and failed to put in place an effective defence, "which left its customers in a vulnerable position for a significant period of time. It then had to fix the problem in an urgent situation as attacks to its customers were being made which, in the end was effective, but only after attacks had succeeded. It should never have exposed its customers to a known cyber risk."
Butler says there is a clear problem at the moment in recruiting the right skills at the top level; to steer, set strategy and oversee the armies of semi-permanent contractors, and unregulated third parties running bank IT platforms.
"Historically, and for most of my career in this industry, the rock stars of finance were always the alpha traders.," she says. "Today, it’s the CIOs and IT consultants who are in high demand and short supply. Meaning the best are difficult to employ and hard to retain. A challenge reflected by the fact that all the wholesale banks and asset managers we met after this survey said they were concerned about a shortage of cyber expertise."
Sharing top billing with operational resilience in the watchdog's list of concerns is the ongoing issue of cyber-resilience,
Describing the current threat level as "remarkable", Butler warns:"We are seeing some serious vulnerabilities across areas like identification of key assets, information and detection. A third of firms do not perform regular cyber assessments. Most know where their data is. But describe it as a challenge to maintain that picture. Nearly half of firms do not upgrade or retire old IT systems in time. Only 56% say they can measure the effectiveness of their information asset controls."
Butler's concerns are shared by the UK Government's Treasury Committee, which last week opened an inquiry into bank IT failures after a string of high profile incidents at major banks.
The Committee will examine the ability of financial services institutions to guard against service disruptions and to put things right in the event that disruptions do occur, and whether regulators have the relevant skills to adequately hold people to account.
Editorial | what does this mean?