Insight
Be cyber resilient: realise value in a Section 166 skilled person review
Cyber risk and operational resilience are an increasing focus for Financial Conduct Authority (FCA) or Prudential Regulation Authority (PRA) Section 166 (s166) ‘skilled person’ independent reviews. While financial services (FS) organisations often see s166 as a sanction and even sign of failure, it’s important to remember that it’s not a punishment. Rather, the primary aim is to give regulators a better understanding of an organisation’s operations and regulatory compliance as part of their drive to maintain quality standards across the industry. Moreover, the s166 review can provide an opportunity to strengthen understanding and control over today’s increasingly complex and fast-shifting cyber threats. So, drawing on our experience as FCA-approved skilled persons, how can you handle the s166 review and realise the benefits in the most effective way?
The number of FCA s166 reviews has been growing in recent years. This kind of independent investigation is often associated with breakdowns in governance and compliance in areas such as anti-money laundering. But cyber risk management and operational resilience are now an increasingly common target for s166 reviews.
The s166 focus on cyber security and operational resilience not only reflects the growing prevalence of cyberattacks and the fast-moving cyber threat landscape, but also the intensifying regulatory spotlight on safeguarding critical infrastructure, including the global financial system.
The failed CrowdStrike update and resulting global systems outage in July 2024 underline how systemically critical operational resilience has become. As cyber defences and wider operational resilience come to rank alongside fairness, financial soundness and customer safeguards on the FCA’s list of priorities, it’s not just the bar for cyber protection and incident readiness that’s rising, but also executive-level accountability.
Demonstrating cyber regulation compliance
The big challenge is being able to clearly demonstrate that today’s complex cyber risks are understood, being managed effectively and that cyber investment reflects the exposures and risk tolerance of the organisation. Regulators get involved when they don’t have confidence that this is the case.
Executive-level understanding and direction can be hampered by the diversity of the risks, the difficulties of securing reliable measurement and the technical jargon in the risk assessments. A common question in companies we work with is, “Do we truly understand the risks we face and will our plans address them to an acceptable level?”. If executive teams are finding it difficult to make sense of cyber risk and manage them with sufficient confidence, it can be hard to demonstrate to regulators that the business is on top of the risks.
An s166 review: called in to investigate
This need to demonstrate that cyber risk management is up to scratch is an increasing trigger for s166 review.
We’ve carried out s166 reviews following trigger events such as when a major cyber incident or penetration test reveals significant control failings. Key questions we explore with clients include whether they’ve identified the right risks and whether their remediation plans adequately address these potential exposures. We also look at whether they can deliver remediation plans in practice. Drawing on our programme delivery experience and NIST best practice, we can then help clients make simple, practical improvements to address these questions and strengthen regulator confidence in the organisation’s cyber security and operational resilience.
When we’re asked to provide a skilled person investigation and report, it’s not always in response to a hack, ransomware attack or other incident. The regulator might simply want to know more about the effectiveness of the threat assessments, risk management and reporting lines up to the executive team and Board. In a typical example, the FCA or PRA might call for a s166 review because certain risk indicators aren’t improving despite considerable investment. But as we’ve found in our investigations, the problem may not be insufficient safeguards, but a lack of clear, readily understandable reporting that renders an organisation unable to demonstrate the progress being made. Our resulting recommendations have therefore centred on how to ensure cyber risks are clearly defined, appropriately managed and sufficiently intelligible for executive-level stakeholders.
Turning a s166 investigation to your advantage
What these investigations show is that while s166 reviews are demanding, they can still be beneficial. So as an FS organisation, how can you turn this regulatory scrutiny to your advantage? Three priorities stand out:
Both the FCA and PRA are likely to signal concerns ahead of an s166 review. This gives you time to address weaknesses in your cyber risk management and reporting, as well as your operational resilience. The results could help to avoid a formal call for an s166 review. Even if not, this will help you to prepare and strengthen your position once under review.
If an s166 is triggered, choosing the right skilled person to carry out the review is the key to realising the value. Some skilled persons favour a generic audit-style review. But this may not be appropriate in a highly specialised area like cyber security. Even if this ‘check-the-box’ audit approach highlights issues that may need to be addressed, it may not provide the necessary insights and recommendations to resolve them. Selecting truly independent cyber practitioners – specialists who’ve ‘been there and done it’ – can not only quickly get to the root causes of any problems, but also set out practical and actionable plans for remediation in areas such as risk management, reporting, governance and targeting of resources.
Section 166 reviews can make significant demands on both information security teams and senior management. But the more open you are and more support you can give to reviewers, the more you can assure the regulator and the more value you are likely to get from implementing the recommendations.
In practice, this means assigning a dedicated team to work alongside the reviewers and identifying and releasing all relevant documentation. When done well, the value you get from these reviews in improving your cyber risk management should outweigh the investment of time and resources required to support them. We see this collaborative approach as key within the s166 reviews we carry out.
Let’s talk
Talk to us if would like to know more about what an s166 review involves, how to manage the process and how to realise the benefits.
Get on top of your cyber risks
Discover the key cyber-related questions and their answers for each member of your leadership team to consider.
CEO
Strengthen your security and readiness to respond. Read more.
CIO
Allocate the right roles and responsibilities. Read more.
CHRO
Create a culture of security across your organisation. Read more.
NED
Know the right questions to ask to cut through the jargon. Read more.
CFO
Ensure external stakeholders are satisfied. Read more.
Head of Procurement
Ensuring your supply chain security. Read more.
CISO
Improve your ability to navigate the cyber landscape. Read more.
CRO
Enhance your security and risk management. Read more.
Related services
The author
