The lack of IT expertise – and more specifically cyber-security knowledge – on the board of directors of the FCA is emblematic of a bigger problem within British business as a whole.
It came to light yesterday in a Treasury Committee hearing in Parliament that the Financial Conduct Authority's board of directors – numbering ten men and women in total – included not a single person with an IT technical background, let alone any depth of cyber-security knowledge.
The FCA, of course, is the body responsible for regulating 56,000 financial services companies and financial services markets in the UK. These include banks such as Tesco Bank which suffered a serious criminal hacklast weekend, and the FCA is one of the organisations that Tesco turned to as soon as it realised it had a problem.
The FCA, to its credit, has recognised it has a problem with lack of expertise on the board. The chairman, John Griffith-Jones, told the committee, “We are not over-endowed with technical expertise.”
You could sense that both he and the committee chairman, Andrew Tyrie MP, both recognised this as a massive understatement. It was also apparent from the depth of answers that the committee managed to extract from the two witnesses.
And the FCA's response to their admitted lack of expertise – did they go out and recruit a board member or two with real IT experience? No, they hired an adviser who will report not to the main board but to the audit committee.
Just to be clear, the audit committee is primarily responsible for reviewing the effectiveness of the FCA's internal controls.
It led Steve Baker MP, a member of the Treasury Committee, to comment: “I feel that these sorts of things should really be implanted in the board.”
Is this not what experts across the cyber-security sector have been saying for years? Cyber-security is a board level issue, for organisations of every stripe – including financial institutions and the bodies which regulate them.
How can the FCA have any credibility on security matters if it doesn't even have this expertise at board level?
And without this knowledge “implanted in the board” as Steve Baker MP said, how can we have faith that it understands these issues well enough to ensure lessons are learned – and implemented – following the Tesco Bank attack?