The FCA has said high demand and short supply of quality chief information officers and IT consultants makes these professionals the new rock stars of finance, and also jeopardises IT change programmes.
Speaking at Bloomberg in London today FCA executive director of supervision – investment, wholesale and specialists Megan Butler (pictured) said the regulator is concerned about many finance firms’ overconfidence in their ability to deliver these projects: “We are worried that a lot of firms seem overly confident about their ability to manage flagship IT change programmes and keep their systems up to date.
“Twenty per cent of the incidents reported to us over the last 12 months were explicitly linked to weaknesses in change management, making it the most frequent cause of outages and implying a mismatch between corporate expectations and reality.”
Among the causes of this Butler said was the lack of experts to manage the programmes: “…we know there is a real problem at the moment around recruiting the right skills at the top level; to steer, set strategy and oversee this model.
“Historically, and for most of my career in this industry, the rock stars of finance were always the alpha traders. Today, it’s the CIOs and IT consultants who are in high demand and short supply. Meaning the best are difficult to employ and hard to retain. A challenge reflected by the fact that all the wholesale banks and asset managers we met after this survey said they were concerned about a shortage of cyber expertise.”
Butler emphasized the importance of a positive security culture, “with all your people acting as your eyes and ears.” She warned: “Even rock star CIOs can’t shoulder all the responsibility.”
In her speech Butler referred to the FCA’s findings of the cyber and technology resilience survey published today.
It states there has been a 138 per cent increase in technology outages reported to the FCA in the year to October.
Butler says although the regulator supports technology innovation the picture for tech disruption looks bleak: “On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are effecting UK financial services.”
Close to 300 firms were surveyed for a cross sector report, with data collected on trends in governance, cyber defence security and delivery of change management.
The findings show smaller firms continue to struggle more with technology than their larger peers and are also more likely to lack CIO-style roles.
Report figures show a quarter do not have a board-approved information security strategy and 16 per cent lack a board member or executive with specific responsibility for cyber resilience.
The report says: “Some boards struggle to understand that cyber is a global risk not just the responsibility of the IT department [and] bringing in external support is one way in which firms can address this challenge.
“Effective governance at senior levels is essential to creating an environment for effective resilience throughout an organisation, whatever its size.”
Figures show cyber-attacks have accounted for 18 per cent of operational incidents reported to the FCA for the 12 months to September 2018, while failed IT changes have accounted for 20 per cent.
Firms are also not reporting all major technology outages and cyber-attacks to the regulator as required.
The report says: “Evidence suggests that firms are under reporting and we remind all firms of their obligations to report.”
Issues around third party management are also prevalent, with IT failure at an important supplier accounting for 15 per cent of operational incidents reported.
Close to 80 per cent of respondents to the report sat they aren’t sure what information third parties hold, while half do not know what data they have access to.
Moving forwards, the FCA says third party management and change management are also set to be targeted more heavily in its supervisory plans for next year.