FCA warns over future hybrid working security risks

The security community has been reacting to freshly published guidance from the Financial Conduct Authority (FCA), warning of the cyber security risks regulated organisations such as banks face when enacting hybrid working policies.

Hybrid working, a mix of in-office and remote working, is being explored by many thousands of companies across the UK, despite the protestations of commercial landlords and government ministers.

The FCA’s guidance, which can be read in full here, will be applied on a case-by-case basis and sets a number of expectations on financial service organisations.

In future they will be required to prove that the lack of a centralised location or remote working does not affect its location in the UK or ability to meet the threshold conditions for the regulated activities it undertakes, reduce the accuracy of various information such organisations must supply to the FCA, cause detriment to consumers, damage market integrity or increase the risk of financial crime.

They will also have to prove they have sufficiently planned for hybrid working, that senior managers and boards have appropriate governance and oversight, that policies and procedures to reduce the potential of financial crime arising from hybrid working are effective, that there is an appropriate culture in place, and that control functions such as risk, compliance and internal audit can function properly.

Financial services organisations will also have to show they have considered data, cyber and security risks, particularly if staff are moving confidential equipment between their homes and workplaces, that they can meet regulatory requirements, and that the necessary IT functionality is in place to support the organisation.

While hybrid working models do bring with them substantial benefits in terms of cost saving, flexibility and, in many cases, bonuses for staff in terms of reduced commutes, easier access to childcare and even improved mental wellbeing, the cyber risks are substantial. Zoho Europe managing director Sridhar Iyengar said the FCA was entirely correct to issue guidance on such risks – particularly centring challenges such as regulatory requirements, data compliance and so on.

“The Covid-19 pandemic has forced through many positive changes in terms of working practices, yet far too many companies still lack the training and assessment of personnel and the IT infrastructure and systems to ensure complete compliance,” said Iyengar.

“Moving forward, organisations seeking to build a truly safe and secure hybrid working culture must look towards operating systems that can offer key applications to manage everything from collaboration and finance, to analytics and customer engagement. This will bring a new level of safety and security to remote working, helping to keep companies compliant with FCA standards.”

Chris Ross, Barracuda Networks international senior vice-president, also welcomed the guidance. “With ransomware attacks on the rise, keeping companies fully aware of their regulatory responsibilities when managing remote working models is an essential step, alongside the necessary security systems and training for staff,” he said.

“Our recent research has shown that 81% of IT leaders admitted that their organisation had suffered a security breach in the past 12 months,” said Ross. “Worryingly, companies operating a remote or hybrid working model had a substantially higher breach rate, at 85% compared with office-based businesses, where the figure was 65%.

“Worse still, three quarters of those surveyed stated that they had been the victim of at least one ransomware attack. It’s therefore vital that all companies operating hybrid working models remain compliant and acutely aware of potential security risks at all times.”