The Financial Conduct Authority (FCA) has praised how firms adapted to the pandemic but emphasised seven key points they must focus on as hybrid and other working models are growing in popularity.
It included the risks of staff using personal devices, potentially letting slip confidential material at home, and that hybrid working may become the subject of phishing attacks.
The regulator has shown a keen interest in ensuring financial firms are able to operate securely and effectively in different working environments since the pandemic hit.
Having set out an operational resilience policy in March it published further expectations on remote working last month, including a warning that it could undertake home visits on staff.
These latest details came in response to a question submitted during its 2021 annual public meeting.
The FCA said it wanted firms to pay attention to how they maintained their important business services within pre-defined impact tolerances as they transitioned to different working models.
“We expect firms to ensure they maintain their important business services agnostic of their working model (whether that be in office, dispersed or hybrid),” it said.
“Their important business services and impact tolerances should remain the same for all working models, and they should be capable of demonstrating how these standards are being maintained.”
Seven main risks
The seven key risks around operational resilience which it chose to emphasise were:
- The increasing reliance on third parties. It noted that firms retain responsibility for maintaining resilient services through third parties and need to manage outsourced providers effectively to reduce the risk of operational disruption.
- The surge in use of Virtual Private Networks (VPNs) which allow remote users to securely access firms’ IT resources. Firms should apply the latest patches as soon as possible, regularly test their VPN infrastructure for cyber vulnerabilities and will have more IP addresses to monitor with staff homeworking.
- Staff using personal devices when working from home and mobile versions systems. The regulator highlighted that firms should ensure access to their systems through personal devices is as secure as through their own equipment.
- Continuous home working and information security. Firms should be alert to these risks and adapt their training accordingly, the FCA said. It used the example, of staff needing to be extremely careful when discussing confidential information around family members who may work for rival organisations.
- Linked to this are the threat of malicious insiders and data security. Use of sensitive data and monitoring of access to it by employees is less likely to be as stringent as it is in the office. Firms should review and adapt data loss prevention controls to ensure they remain robust to mitigate both intentional and unintentional data breaches, the FCA said.
- Delayed non-essential changes and system updates. Some firms may have a backlog of changes to be made and will need to manage the risk of clashes and managing changes over a short period without causing disruption.
- Cyber criminals have adapted. Firm should understand how attackers tailor phishing emails and ensure staff are continually trained to spot the warning signs. “With staff beginning to return to the office in far larger numbers, it’s likely hybrid working becomes a common topic in phishing emails,” the FCA added.