The panel session started with a brief overview of the way US regulators were trying to impose cybersecurity on financial firms. Their efforts fell into three categories.
1. Communications and the setting of expectations. The Securities and Exchange Commission's and FINRA's regulations on the subject go back two years. Cybersecurity has been on their list of priorities for most years running recently.
2. The SEC's 'national examination programme' has marked the subject out as an area of concern, with the SEC even going so far as to release its document request list (containing the categories of document that it asks for on visits) twice. Such eagerness is not unprecendented but the panel took this to be a sign that the regulator is are taking the subject very seriously.
3. The concept of testing and fact-gathering. Shea said: "For the past 24 months the team has been out, looking at 50 brokers and investment advisory firms. That was more of a fact-gathering excercise for cyber-security preparedness and data protection programmes. In the next round, they will be testing and starting to set the scene in terms of feedback. I have heard a story of one firm being tested in the first round."

A matter of regulatory principle

And in the UK? In November 2014 the Financial Conduct Authority (FCA) fined the Royal Bank of Scotland (RBS) ₤42 million for an IT outage in 2012 that prevented customers from drawing money from their bank accounts. Indeed, 12 million people were locked out of their accounts for days. The Prudential Regulation Authority (PRA) also fined the bank £14 million, bringing the total up to £56 million. The FCA held the bank to be in breach of 'principle for business' three, which dictates very vaguely that each firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. One panellist said: "If you read that RBS decision, there are layers of governance failure and lots of reporting going on, but not much fixing of issues. There's also a focus on black swan events. You can read RBS's failures across into cyber-security. Finally, you can also read across the issue of IT resilience not being given enough prominence." Others were more sceptical - Conor Kiernen said that "the regulator in the UK doesn't take any notice of cyber-security whatsoever."

One panellist announced: "In last three days, HBOS went offline. It was a denial-of-service attack. Is the FCA going to fine them for some kid in Vietname taking them out? I can't see it."

Patrick Shea thought that it was unfair to say that the FCA did not have cyber-security on its radar at all: "In the UK, the government is educating private business. It's written the 'Dear CEO' letters, saying 'we're not here to protect you - if you want to protect yourself, you should get your game up.' I'd rather have it when it's grown from the business and not from the regulator. It grows more organically. If the regulator does it, it becomes a checklist. And there's a lot of co-operation across the Pond. Much is investor-driven."

The discussion moved on to whether asset managers were depending on service-providers for their cyber-security or bringing in experts. One speaker thought that a lot of them were bringing in experts. He said that Alternative Investment Management Association (which represents the world's hedge fund industry) and the Hedge Fund Standards Board were issuing guidance. On a sombre note, he added: "Inevitably, you're going to get attacked/owned, but the investor wants to know how you're going to win that last war. Some script kiddy's going to come in."

Shea asked the panel to talk about trends in outsourcing or, alternatively, keeping cyber-security in-house. Alex Brown, with a lawyer's eye for the rules, warned: "The first thing I always feel compelled to say is that you can outsource the function but you can't delegate the regulatory responsibility for keeping the data safe and having safe systems. That's always going to remain with you, so you have to keep an appropriate degree of oversight and control of outsourced functions...and the regulations say that. So do the 'Dear CEO' letters. That means 'due diligence' exercises on the vendor supply chain. You also need proper contracts full of stuff about control – and your ability to exit . We came in and said to the staff "here's what you need to do at home." We taught people (in the same style as Credit Suisse, who educated their employees recently) about that and they were fascinated. Then we taught them about phishing emails.

"In your governance structure, don't leave responsibility for cyber-security purely within IT. Use Risk, use Compliance. Meeting regularly with me keeps them honest. Firms make the mistake of ticking boxes. They get lawyers to draw up policies – these are huge documents. They go straight to policy, which is a mistake. You should start by getting boots on the ground."

Some phisherman on Friday got £1.2 million in a live phishing attack. There's no tool that can stop this stuff. If your employees click on the thing that the phisherman sends them, the battle is lost. There's no IT that you can buy that beats the education. Phishermen play on the fact that humans inherently trust what they see in front of them and trust what they hear. They should be saying to themselves: 'Is this real? Should I question it?' I liken it to the fact that in the airline industry at one time, nobody quesitoned the pilots, the pilots were therefore making mistakes without being challenged about them and planes were crashing. They fixed it by telling stewards and other staff to ask questions all the time and safety improved. So you should be saying: 'Just because it looks as though this email comes from the CEO, I'm not taking this on trust.'"
 
Kiernan went on to say that when the compliance officer or person in charge of cyber-security at a financial firm first begins to formulate policy on the subject, he should ask himself: "What are the three things I shold look for? Where should I start?" The answer, according to Kiernan, was simple.

"They should probably get some help from some backroom nerd. He'll tell you of the dangers that can get you. There's everything from scams and cons to people installing stuff in web pages that steals your Bitcoins. There are many people you can go to - McAfee, Semantec...they all have experts. Every computer has to be fully patched every time a patch comes out, and no excuses. In a recent survey, few if you're not allowed to do it, don't do it. Here is my advice to a compliance officer who's just starting out.
(i) Educate yourself. There's a lot of free education out there. If you're an AIMA member, good. Ask questions of your internal IT around the quesitons you've formulated. Have your own story there.
(ii) Ask questions about the governance structure. Who are you reporting to? Governance is the number one thing to cover.
(ii) Look at how other firms are reporting incidents to the Government, to law enforcers and even to each other."

The RBS fine in more detail

In the 'final notice' in which it fined the RBS banking group, the FCA noted that Technology Services (the centralised group IT function which provides IT services to the banks in the group, namely the Royal Bank of Scotland, National Westminster Bank and Ulster Bank Ltd) backed out a software upgrade that its technicians had installed on Sunday, 17 June 2012. (To 'back out' an upgrade is to uninstall the current version of the software and go back to a previous version of it.) The underlying cause of the IT incident was the failure of the RBS stable of banks to operate adequate systems and controls to identify and manage their exposure to IT risks. In particular, they failed in the following ways.

Firstly, Technology Services did not take reasonable steps to ensure that changes to  the  Banks’  IT  systems  were  carried  out  in  a  carefully  planned  and consistent manner.  It did not manage and plan those changes adequately because it did not devise and implement adequate processes for identifying, analysing and resolving IT incidents or even policies for testing software.  

Secondly, the three lines of defence (a nebulous concept that the FCA is very keen on, entailing the division of firms' compliance efforts between the business itself as the first line, risk management as the second and internal audit as the third, all defending the business against an unnamed danger - presumably an FCA fine) did not carry out their responsibilities adequately.
(a) Technology Services Risk, (the risk function within Technology Services), the so-called first line of defence, was responsible for identifying and managing IT risks. It did not carry out its duties adequately because it had a culture of reacting to events and a team with insufficient experience and skills.  
(b) Business Services Risk, the second line of defence, was responsible for reviewing Technology Services' view of risks and identifying gaps in the Group’s view of risk. It did not carry out these duties adequately because it had limited IT skills and it did not sufficiently challenge Technology Services Risk's view of IT risk.
(c) Group Internal Audit, the third line of defence, was responsible for providing independent assurance on the design and operation of risk management and internal control processes. There were weaknesses in the communications between Group Internal Audit and the first and second line of defence. One group board minute stated: "Rather than focusing on backward looking events, consideration should be given to broader risk issues and potential ‘black swan’ events."