The Training Environment For Financial Services

Cyber-Security for FCA Regulated Firms

14 Nov 2019, City of London

9:30am to 4:30pm

Outline & Objectives

The latest disclosures about serious cyber security breaches affecting UK financial institutions and their customers have emphasized the scale of the threat. Yet it is estimated only 1 in 5 firms communicate effectively with executive management about cyber-attacks, weak cyber-security features repeatedly in FCA disciplinary cases and Boards continue to devote insufficient time and resources to this critical issue. The implementation of the General Data Protection Regulation (GDPR) has added an additional layer of complexity and potential risk.

The FCA rules, guidance and ‘standards’ for cyber-security are still vague and principles-based, despite the increasing sophistication, volume and variety of cyber-attacks affecting regulated firms. Adding to the challenge are the different standards and requirements in the US and Europe, which need to be navigated by firms whose activities are conducted cross-border.

This practical course is designed primarily for Compliance, Risk and Legal professionals in small to medium sized regulated firms who number cyber-security among their responsibilities. It will also be of value to IT specialists who are new to cyber-security in a FCA regulated environment. It will help you keep up to date with developing best practice and the evolving rules, guidance and standards in this fast changing and increasingly important area of business and regulatory risk.

Specifically, attending will help you:

  1. Review the impact of regulatory developments and priorities concerning cyber-security, with a particular emphasis on what can be learned from market leading developments in the USA
  2. Update and refresh your knowledge of the current threat landscape and regulatory requirements
  3. Assess the appropriateness of your governance arrangements for managing cyber-security risk
  4. Understand the effectiveness of a well-constructed risk assessment
  5. Audit the effectiveness of your cyber-security controls
  6. Understand how meeting the requirements will affect your business and client interactions
  7. Consider how you can evidence the effectiveness of your cyber-security arrangements

Training Approach

This course will make use of structured presentations and CASE STUDIES that run throughout the programme to explore and illustrate regulatory expectations and developing best practice in cyber-security for financial services organisations.  The case studies will be conducted insamll groups and will include an investment firm, a multi-national insurer and a consumer credit firm. Group size is limited to facilitate sharing of experience among the delegates.

Course Presenter

Gary Pitts has over 25 years’ compliance experience in the UK and overseas, including spells with the Personal Investment Authority, Henderson Global Investors, Brevan Howard Asset Management, Religare Capital Markets and as a Managing Partner of a boutique financial services house. He is a former director of Cayman and Luxembourg domiciled hedge funds, as well as regulated companies in the UK and South Africa and has been an FSA/FCA registered person in Controlled Functions 10 and/or 11 since 2001and now runs his own governance and regulatory consultancy: Tetractys Partners LLP. Gary is a regular conference speaker and author of technical articles on compliance related topics and sits on the regulatory advisory group of the Journal of Securities Operations and Custody. He brings a combination of compliance and commercial experience, in terms of both practical implementation and Board level oversight, to the training he delivers.

Course Programme

Session Aim Content
The scale of the threat To assess the latest information about the scale, nature and cost of the cybercrime threat to regulated businesses
  • What are the latest cybercrime statistics?
  • Some recent real-life cases of attacks
  • A review of the types of threat
  • What happens when you get it wrong
The UK regulatory background and requirements To understand the background rules that govern cyber-crime (including data security laws and financial crime) and the obligations these create for firms
  • Integration with financial crime controls requirements
  • What guidance is available and where do we find it?
  • Role of the Office of the Information Commissioner
  • Systems and controls and record keeping
Cyber-security best practice To examine the emergent regulatory and security practices in the USA (which is more developed and prescriptive than that in Europe)
  • Examine and understand US approaches to regulation and controls
  • Draw out approaches which are useful for course attendees (practical)
  • Implementing these approaches while minimizing bureaucracy
Risk Assessment and Controls

To use a framework to undertake a practical risk assessment and control identification process
  • Using current best practice to help develop an accurate risk and control assessment
  • Evidencing and quantifying the risk
  • Syndicate exercise / group discussion
Cyber-security governance To define the extent and nature of the governance requirements that need to be associated with cybercrime, with an emphasis on meeting the FCA SYSC requirements
  • The importance of proper governance
  • Regulatory benchmarks for governance
  • Ownership of each level of the governance process
  • MI – sorting the wheat from the chaff
Incident response To understand the impact of a poor response to a major IT security incident and construct a robust incident response framework
  • What are the consequences of a poorly handled major incident? Real life examples.
  • What does a “good response” look like?
  • How do I construct an incident response framework suitable for my organization (practical)?
Compliance oversight and internal audit To examine the role of Compliance, Internal Audit and IT Teams in managing cyber-security risk
  • Exercise: establish a compliance regime for cyber-security controls
  • Systems and controls
  • Examples of good and bad practice

This course can be delivered in-house at a time and location to suit your business and tailored to suit your people and organisation. We can also create bespoke training when something very specific is needed.Please contact us to discuss your requirements in more detail and at no obligation.

Bottom Banner
© 2014 Corporate Training Partnerships. All Rights Reserved. Terms and Conditions | Privacy Policy