Many customers could have their personal data left at risk of data breaches because senior executives in the companies they do business with do not understand the cyber security dangers they face.
The is according to the Financial Conduct Authority (FCA), which has been undertaking a review of the issue within asset management and financial firms. It found that although all the firms it focused on recognise the importance of strong cyber security, there is a wide variation when it comes to understanding of how weak security measures can impact their business activities, which could lead to harm for themselves and their customers.
It noted that awareness is particularly poor at board and management committee levels, as well as within firms where there are no specific cyber security strategies in place.
Even where plans do exist, some firms do not consider non-technical consequences of a cyber security incident, such as the impact an attack would have on their reputation, their clients and the wider market.
To tackle these issues, the FCA said senior executives must do more to better understand the risks associated with their business activities. This will be especially important in organisations that have centralised management structures.
They should also make efforts to change their organisational cultures to ensure that cyber security is seen as an enterprise-wide issue and not merely a matter for the IT department.
The FCA said: "Having an independent owner for cyber, or an ownership model that is not solely made up of IT staff, can enable challenge and deliver incident management and recovery plans which reflect the impact of cyber more widely than just that on systems and technology."
It also noted that some companies in the financial services sector have turned to third-party firms to offer independent advice on how to approach cyber security.
While the regulator stated this may be an effective way of helping the board upskill their security capabilities without the need to hire a dedicated board member, companies should make sure they do not become over-reliant on their services.
The FCA said this could affect firms' development of their own in-house cyber capabilities and reduce boards' longer-term ability to objectively assess their security environment.