Financial firms have admitted they don't upgrade or remove end-of-life kit fast enough, can't identify all staff dealing with critical data, and don't maintain a comprehensive list of partners with system access.
Financial institutions are under increasing pressure from the sector watchdog, MPs and the public to improve their cyber and technological resilience, amid a spate of banking outages and high-profile data breaches.
The Financial Conduct Authority carried out a survey of almost 300 large and small firms to assess the state of resilience against its own figures for operational failures between September 2017 and October 2018.
UK banking TITSUP*: This time it's Clydesdale and Yorkshire banksREAD MORE
Overall, there were 646 operational incidents in the year, with 511 classed as technology and 119 as cyber. The rest were non-tech issues, such as flooding. But the FCA noted it thought firms were under-reporting major events.
Throughout the report (PDF), published this week, the watchdog expressed disappointment that some fundamental aspects of resilience are not considered, or properly prepared for.
It warned that, although financial businsesses may report maturity in some areas, these strengths will be undermined by weakness in another – and that many of these are obvious areas to tackle.
"We are concerned that firms are not addressing the more obvious risks presented to their business and customers by their technology estate," it said.
Among the weaknesses identified was a lack of knowledge about third parties, the second-highest root cause of operational incidents, accounting for about 71 in the year, of a total 646.
Despite most organisations (80 per cent) saying they maintained a register of these parties, they didn't hold a comprehensive list of every partner or all of those with access to systems and data.
Only 66 per cent of large and 59 per cent of small firms understood their third parties' response and recovery plans – and just 22 per cent and 19 per cent, respectively, included third parties in their own testing plans.
The FCA said it was disappointed with this, "given the wide understanding of the risks third parties pose to firms' operational resilience, and the number of incidents involving third parties".
Perfect timing for a two-bank TITSUP: Totally Inexcusable They've Stuffed Up PaydayREAD MORE
Organisations had similar problems managing end-of-life assets. Although most said they regularly reviewed hardware and software, these were often manual or ad hoc processes, with no continuous view of the kit.
Moreover, the FCA said that when reviews do take place, "nearly half of firms do not upgrade or remove end-of-life assets within a reasonable timeframe". Nor did they set out measures to beef-up risk management practices in the meantime.
"There is a significant risk that vulnerabilities of unsupported assets are not identified and fixed in a timely way," the FCA said. "This is a regular route for attackers."
Another obvious entry point for attack is people – but again companies appeared to be missing the mark.
They reported offering only ad hoc training, and had problems identifying and managing high-risk staff that dealt with critical and sensitive data – even when they did know who was high-risk, only 47 per cent provided extra training.
"Given the prevalence of social engineering and phishing as a means of cyberattack, often targeting these roles, this presents a significant weakness," the FCA said.
"In many cases this risk is compounded by a simultaneous lack of monitoring of staff activity, so firms are unlikely to detect anomalies in staff behaviour and subsequent activity."
Only the largest firms were said to have automated systems to spot potential cyber attacks and support a response. Others rely on manual processes – or have none at all.
However, most operational incidents were identified as being caused by IT changes, 91 of the total reported in 2017-18.
The FCA said this exposed a disconnect between the reality and the firms' self-assessed strengths, as they broadly viewed their abilities in this area as mature.
Reiterating comments made in its recent paper on resilience, the FCA said it recognised that sometimes things will go wrong.
But it emphasised the survey results indicate major issues it has already set out, like identifying important business services or making recovery, aren't part of companies' thinking.
It said the main issues identified in the report – third-party and change management – will be considered in its supervisory plans for 2019. ®