The UK Treasury Committee has questioned the ability of the UK’s Financial Conduct Authority (FCA) to react to cyber attacks due to its lack of IT expertise on the board of directors.
The committee grilled the chairman and chief executive of the financial services watchdog on a range of issues including the recent Tesco Bank cyber theft of an estimated US$3m from more than 9,000 UK customer accounts.
At a meeting held earlier this week, the committee was grilling the FCA’s chairman, John Griffith-Jones who was forced to admit that the regulator’s board were “not over endownded’ in IT experience. He was joined by FCA chief executive, Andrew Bailey as the pair were grilled about a number of matters including its response to the attack on Tesco Bank over the weekend.
UK Treasury Committee member Steve Baker MP (Con – High Wycombe) said that he was concerned that the UK financial regulator appeared to have “no technical expertise” on its board of directors. A review of the biographies on the FCA’s website shows that of ten members of the board – who have extensive experience in finance, governance and regulation – none of them have any experience with complex IT systems.
The regulator itself was also, as reported, recently left embarrassed when essential financial information was potential put at risk during a data breach at the end of September. During what was a concerning IT meltdown, resulting in key financial information not being available for days, the regulatory website was also forced to close while it fixed its systems.
At the time it was a major concern that the cause of the IT meltdown could have been a cyber attack, although it was later said to have been caused by a hardware issue.
‘Not over endowed’
According to a report in IT Security trade publication, SC Magazine, MP Baker asked the chairman of the board of the FCA if he felt that there was adequate technical expertise on the board at the review meeting held earlier this week.
Griffith-Jones admitted that the regulator was not “over-endowed with technical expertise” but said that it has, in response to the increased threat in this area, recruited a special adviser recently who has a “deep, deep technical background”.
“We thought that was a sensible way forward, to have on hand the equivalent of a board member but with more time available than we would have on the board,” he said.
Baker questioned whether this new member of staff would report directly to the board or the risk committee. Griffith-Jones replied that he would report to the audit committee. Baker then asked Griffith-Jones some IT related questions, presumably to test his knowledge of software engineering. Prior to becoming an MP, Baker was a software engineer, the SC Magazine report said.
Griffith-Jones was not able to answer all of the questions which prompted Baker to tell him: “I feel that these sorts of things should really be implanted in the board if it is going to deliver against these objectives.”
Earlier in the meeting, Andrew Tyrie, the Conservative MP who chairs the Treasury Select Committee, grilled the chief executive Andrew Bailey about the Tesco Bank breach and how the FCA had responded to the attack. Bailey said that the attack appeared to be “unprecedented”.
Tyrie told Bailey that following sessions with the FCA and the Prudential Regulatory Authority (PRA) recently, he came away from the FCA session with concerns about its ability to manage cyber-resiliency while the session with the PRA, part of the Bank of England, had been more reassuring.
“We were concerned that the split of the regulator would lead to a lack of coordination among various parties,” he said. Bailey replied that both regulators had been involved in remediating the Tesco Bank incident from Sunday.
Tyrie asked Bailey if Tesco would be able to identify, even without receiving a complaint from an affected customer, every account that had suffered an unauthorised withdrawal. Bailey replied: “Yes, well, they should be able to. And they have assured us they can, and we will ensure they have done that work to our satisfaction.”
In response to a second question from Tyrie, Bailey said that the FCA would have a review to see what lessons could be learned from the response to the incident but didn’t feel that they had been short of any resources when the attack was identified.