Firms across the financial and related professional services industry need to take urgent action on cyber risk, according to a new report from TheCityUK and Marsh.
There were a reported 2.5 million cyber crimes in the UK last year, the majority of which were various forms of fraud with the loss typically borne by the financial sector. City firms have the data, money and profile to attract the full range of attackers including those seeking to undermine the financial system. Reputation and reliability are shared assets and argue for firms working collectively to reinforce the financial system’s resilience.
Investing in security
The report recognises the significant effort invested by UK authorities to encourage action on cyber risk. It finds that while larger institutions are engaged on cyber security, there is an opportunity for the industry and individual firms to enhance cyber security and resiliency after cyber breaches.
Survey evidence supports the fact that too few firms are tackling cyber in a cohesive way: only 30% of large firms have it as a top ten risk, only 39% have quantified the risk and just 30% have a response plan to a breach occurring.
“While financial incentives should never be the primary reason for a company to invest in security, anything that helps more financial services firms take security seriously is definitely a good thing. The question is whether a financial incentive is as powerful as a financial penalty,” Ryan O’Leary, VP Threat Research Centre at WhiteHat Security, told Help Net Security.
“One major concern with an incentive like this is that companies may not go far enough to put the infrastructure in place to actually fix the issues that their shiny new security solution finds. Simply ticking the box that says the firm has something in place does not guarantee any reduction in vulnerabilities. Checking that these firms are finding, and then fixing vulnerabilities would be the best way to go, but this would be impractical given the oversight that would be needed. Overall, tax breaks may help get some companies to start to seriously consider their IT security, but I’m doubtful that they would move the needle in terms of these firms actually being safer,” O’Leary added.
Boards should hold management responsible for cyber risks instead of their IT departments and provides ten simple questions that management should consider. According to the report, since 95% of all cyber incidents involve human error, people and processes matter as much as technology when it comes to managing cyber threats.
The report recommends the creation of a city-wide cyber forum to promote collaboration across all firms within the financial and related professional services industry. The forum would seek broader and committed support for cyber management and the many existing initiatives that are running. Its agenda would include encouraging information and best-practice sharing, working on cyber risk aggregation and system recovery and helping to develop a strong UK cyber security sector.
Recommendations for firms:
A. Make cyber a standing item on the Board or risk committee agenda;
B. Ensure cyber risk is a part of strategy, investment cases, acquisition and appraisals;
C. Have a broad based team inputting to how cyber risk is managed;
D. Monitor cyber readiness against the ten-point cyber checklist:
- The main cyber threats for the firm have been identified and sized
- There is an action plan to improve defence and response to these threats
- Data assets are mapped and actions to secure them are clear
- Supplier, customer, employee and infrastructure cyber risks are being managed
- The plan includes independent testing against a recognised framework
- The risk appetite statement provides control of cyber concentration risk
- Insurance has been tested for its cyber coverage and counter-party risk
- Preparations have been made to respond to a successful attack
- Cyber insights are being shared and gained from peers
- Regular Board review material is provided to confirm status on the above.