contact Search
Search
Insight

Be cyber resilient: realise value in a Section 166 skilled person review

Dave Machin

Cyber risk and operational resilience are an increasing focus for Financial Conduct Authority (FCA) or Prudential Regulation Authority (PRA) Section 166 (s166) ‘skilled person’ independent reviews. While financial services (FS) organisations often see s166 as a sanction and even sign of failure, it’s important to remember that it’s not a punishment. Rather, the primary aim is to give regulators a better understanding of an organisation’s operations and regulatory compliance as part of their drive to maintain quality standards across the industry. Moreover, the s166 review can provide an opportunity to strengthen understanding and control over today’s increasingly complex and fast-shifting cyber threats. So, drawing on our experience as FCA-approved skilled persons, how can you handle the s166 review and realise the benefits in the most effective way?

The number of FCA s166 reviews has been growing in recent years. This kind of independent investigation is often associated with breakdowns in governance and compliance in areas such as anti-money laundering. But cyber risk management and operational resilience are now an increasingly common target for s166 reviews.

The s166 focus on cyber security and operational resilience not only reflects the growing prevalence of cyberattacks and the fast-moving cyber threat landscape, but also the intensifying regulatory spotlight on safeguarding critical infrastructure, including the global financial system. 

The failed CrowdStrike update and resulting global systems outage in July 2024 underline how systemically critical operational resilience has become. As cyber defences and wider operational resilience come to rank alongside fairness, financial soundness and customer safeguards on the FCA’s list of priorities, it’s not just the bar for cyber protection and incident readiness that’s rising, but also executive-level accountability. 

Demonstrating cyber regulation compliance

The big challenge is being able to clearly demonstrate that today’s complex cyber risks are understood, being managed effectively and that cyber investment reflects the exposures and risk tolerance of the organisation. Regulators get involved when they don’t have confidence that this is the case.

Executive-level understanding and direction can be hampered by the diversity of the risks, the difficulties of securing reliable measurement and the technical jargon in the risk assessments. A common question in companies we work with is, “Do we truly understand the risks we face and will our plans address them to an acceptable level?”. If executive teams are finding it difficult to make sense of cyber risk and manage them with sufficient confidence, it can be hard to demonstrate to regulators that the business is on top of the risks. 

An s166 review: called in to investigate

This need to demonstrate that cyber risk management is up to scratch is an increasing trigger for s166 review. 

We’ve carried out s166 reviews following trigger events such as when a major cyber incident or penetration test reveals significant control failings. Key questions we explore with clients include whether they’ve identified the right risks and whether their remediation plans adequately address these potential exposures. We also look at whether they can deliver remediation plans in practice. Drawing on our programme delivery experience and NIST best practice, we can then help clients make simple, practical improvements to address these questions and strengthen regulator confidence in the organisation’s cyber security and operational resilience.

When we’re asked to provide a skilled person investigation and report, it’s not always in response to a hack, ransomware attack or other incident. The regulator might simply want to know more about the effectiveness of the threat assessments, risk management and reporting lines up to the executive team and Board. In a typical example, the FCA or PRA might call for a s166 review because certain risk indicators aren’t improving despite considerable investment. But as we’ve found in our investigations, the problem may not be insufficient safeguards, but a lack of clear, readily understandable reporting that renders an organisation unable to demonstrate the progress being made. Our resulting recommendations have therefore centred on how to ensure cyber risks are clearly defined, appropriately managed and sufficiently intelligible for executive-level stakeholders. 

Turning a s166 investigation to your advantage 

What these investigations show is that while s166 reviews are demanding, they can still be beneficial. So as an FS organisation, how can you turn this regulatory scrutiny to your advantage? Three priorities stand out:

Let’s talk

Talk to us if would like to know more about what an s166 review involves, how to manage the process and how to realise the benefits.

Get on top of your cyber risks

Discover the key cyber-related questions and their answers for each member of your leadership team to consider.

CEO

Strengthen your security and readiness to respond. Read more.

CIO

Allocate the right roles and responsibilities. Read more.

CHRO

Create a culture of security across your organisation. Read more.

NED

Know the right questions to ask to cut through the jargon. Read more.

CFO

Ensure external stakeholders are satisfied. Read more.

Head of Procurement

Ensuring your supply chain security. Read more.

CISO

Improve your ability to navigate the cyber landscape. Read more.

CRO

Enhance your security and risk management. Read more.