"A lot of the time, it isn’t technology at fault when things go wrong. It’s classic systems and control failures."
The FCA says it sees "no immediate end in sight to the escalation in tech and cyber incidents" that are effecting UK financial services.
The stark warning to firms came from the FCA's executive director of supervision, Megan Butler, who raised concerns over 'significantly' more outages and cyber attacks over the last year.
Over the past year, firms reported a 138% increase in technology outages alongside an 18% increase in cyber incidents.
During a speech in London, Butler said the FCA does not expect ‘zero-failure’, but is "deeply concerned that the number of technology incidents reported to us has increased".
She said a large problem is firms being "overly confident about their ability to manage flagship IT change programmes".
Both large and smaller businesses described it as a strength in a recent FCA survey, yet 20% of incidents reported to the FCA are "explicitly linked to weaknesses in change management".
Butler said this makes it the most frequent cause of outages and implies a "mismatch between corporate expectations and reality", adding that an 'overconfidence bias' is particularly characteristic in financial services.
Despite being confident in their abilities, a third of firms in the survey do not perform regular cyber assessments nearly half admitted they do not upgrade or retire old IT systems in time. Just 56% said they can measure the effectiveness of their information asset controls.
Additionally, only the largest firms have automated their detection systems to spot potential cyber attacks. Smaller firms, Butler said, are generally relying on "old school, manual processes – or no processes at all".
She explained: "A lot of the time, it isn’t technology at fault when things go wrong. It’s classic systems and control failures.
"Take Tesco Bank’s cyber attack as an example: It had specific warning of the threat and failed to put in place an effective defence, which left its customers in a vulnerable position for a significant period of time."
Concluding, Butler said that the "current threat level is remarkable", highlighting that cyberattacks are now sandwiched between ‘failure of climate-change mitigation’ and ‘large-scale, involuntary migration’ on the World Economic Forum’s 2018 risk landscape.
She stressed that "irrespective of firm size or sector, cyber is not just a technology risk; it is a human risk".