FCA says reported technology outages at firms has more than doubled

Technology outages reported to the FCA has surged 138%, with 18% of those incidents being cyber-related.

Technology outages at financial institutions reported to the UK’s regulator has more than doubled over the past year, according to its executive director of supervision.

Speaking at an event in London earlier this week, Megan Butler told delegates that firms reported a 138% increase in technology outages to the Financial Conduct Authority (FCA), with 18% of all the incidents reported to the regulator being cyber-related.

“On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are effecting UK financial services,” Butler said. “New technologies create threats that are extremely difficult to anticipate. And from a regulatory perspective, this is a fundamental challenge.”

Butler highlighted that the increase in reported outages doesn’t necessarily represent a one-dimensional picture of a surge in cyber-attacks, but that firms are reporting incidents more robustly.

The FCA suggested that in terms of technology outages, financial firms both large and small are overconfident on their ability to manage flagship IT change programmes and keeping systems up to date. Of the reported incidents last year, 20% were explicitly linked to weaknesses in change management, making it the most frequent cause of outages.

On the issue of potential cyber-attacks, Butler told delegates that one-third of firms currently do not perform regular assessments, despite having the data, and almost half of firms do not upgrade or retire systems early enough.  

“We are seeing some serious vulnerabilities across areas like identification of key assets, information and detection. Again, I emphatically do not want to underplay the nature of the threat facing firms.”

The FCA also said it does not expect ‘zero-failure’ in terms of technology and cyber-related incidents, and it is currently in discussions to establish ‘impact tolerances’ and the ability for firms to recover and learn from operational disruptions.