In a letter (2-page / 873KB PDF) written on behalf of the Treasury Select Committee in the UK parliament, Andrew Tyrie said the current "lines of responsibility and accountability for reducing cyber threats … appear to be somewhat opaque".
Tyre, chair of the Committee, said: "Responsibility is shared among a number of bodies, primarily the PRA, the FCA and GCHQ. In practice, the other regulators are inevitably dependent on the flow of information, and the underlying quality of the work, from GCHQ. GCHQ's statutory line of accountability is through the foreign secretary; those of the PRA and the FCA are to the Treasury and parliament. Understandably enough, the foreign secretary's priorities may be towards the need to address state-sponsored cyber-crime and terrorism, not commercial cyber-crime and fraud."
"In the light of the above, it is for consideration whether a single point of responsibility for cyber risk in the financial services sector, with full ownership of – and accountability for financial cyber threats is now required. It may be necessary to create a line of accountability to the Treasury for financial cyber-crime," he said.
Tyrie's letter was addressed to Ciaran Martin, chief executive of the UK's National Cyber Security Centre (NCSC), which became operational at the beginning of October. In the letter Tyrie described UK bank IT infrastructure as "outdated". He asked Martin what the NCSC's objectives are and what powers are at its disposal to bring "meaningful improvements in cyber risk management in firms".
Tyrie also asked Martin whether he believes it is the job of the NCSC to "to devise a detailed strategy, in cooperation with the banking sector, to replace legacy computer systems".
In a statement issued alongside the letter, Tyrie said: "The Committee has serious concerns in the cyber area: the opaque lines of accountability between the relevant authorities, particularly the regulators on the one hand and intelligence agencies on the other, and a very high degree of reliance on information from the intelligence community."
"It is essential that the intelligence community gives the regulators the technical and practical support they need to do their job. This means making sure that financial cyber crime has a high priority, and is not subordinate to other work. Failure to do so would inhibit the ability of financial institutions to maintain an adequate level of protection for millions of consumers …As millions of customers are exposed to the risks of cyber crime, a higher level of scrutiny and accountability for existing arrangements is needed," he said.