The Financial Conduct Authority (FCA) has received a ticking off from the Treasury Committee of the UK Parliament for a lack of cyber-security experts on its board of directors.
The committee was grilling the FCA's chairman, John Griffith-Jones, and chief executive, Andrew Bailey, about a number of matters including its response to the attack on Tesco Bank over the weekend.
Steve Baker MP (Con – High Wycombe) was alarmed that the FCA appeared to have no technical expertise on its board of directors. A review of the biographies on the FCA's website shows that of ten members of the board – who have extensive experience in finance, governance and regulation – none of them have any experience with complex IT systems.
Baker asked the chairman of the board of the FCA if he felt that there was adequate technical expertise on the board.
Griffith-Jones replied: “On the board we are not over-endowed with technical expertise but we have, in response to the increased threat in this area, recruited a special adviser recently who has a deep, deep technical background and we thought that was a sensible way forward, to have on hand the equivalent of a board member but with more time available than we would have on the board.”
Baker questioned whether this new member of staff would report directly to the board or the risk committee. Griffith-Jones replied that he would report to the audit committee.
Baker then asked Griffith-Jones a couple of probing questions, presumably to test his knowledge of software engineering. Prior to becoming an MP, Baker was a software engineer.
Griffith-Jones was not able to answer all of the questions which prompted Baker to tell him: “I feel that these sorts of things should really be implanted in the board if it is going to deliver against these objectives.”
Earlier, Andrew Tyrie, the Conservative MP who chairs the Treasury select committee, grilled the chief executive Andrew Bailey about the Tesco Bank breach and how the FCA had responded to the attack.
Bailey said that the attack appeared to be “unprecedented”.
Tyrie told Bailey that following sessions with the FCA and the Prudential Regulatory Authority (PRA) recently, and he came away from the FCA session with concerns about its ability to manage cyber-resiliency while the session with the PRA, part of the Bank of England, had been more reassuring.
“We were concerned that the split of the regulator would lead to a lack of coordination among various parties,” he said.
Bailey replied that both regulators had been involved in remediating the Tesco Bank incident from Sunday.
Tyrie asked Bailey if Tesco would be able to identify, even without receiving a complaint from an affected customer, every account that had suffered an unauthorised withdrawal. Bailey replied: “Yes, well, they should be able to. And they have assured us they can, and we will ensure they have done that work to our satisfaction.”
In response to a second question from Tyrie, Bailey said that the FCA would have a review to see what lessons could be learned from the response to the incident but didn't feel that they had been short of any resources starting from Sunday when the attack was identified.