Firms across the financial and related professional services industry need to take urgent action on cyber risk, according to a newly-published report.
Entitled ‘Cyber and the City’, the report is jointly produced by TheCityUK, a body representing the UK-based financial and related professional services industry, and the global insurance broker and risk adviser Marsh.
The report notes that there were a reported 2.5m cybercrimes in the UK in 2015. The majority of which were various forms of fraud with the loss typically borne by the financial sector.
It suggests that firms in London’s financial district, the City, have the data, money and profile to attract the full range of attackers including those seeking to undermine the financial system. Reputation and reliability are shared assets and argue for firms working collectively to reinforce the financial system’s resilience. That will protect services that are critical to the UK economy as well as ensuring that the UK remains a secure global financial centre.
The report recognises the significant effort invested by UK authorities to encourage action on cyber risk. It finds that while larger institutions are engaged on cyber security, there is an opportunity for the industry and individual firms to enhance cybersecurity and resiliency after cyber breaches. Survey evidence from Marsh suggests that too few firms are tackling cyber in a cohesive way: only 30% of large firms have it as a top 10 risk, only 39% have quantified the risk and just 30% have a response plan to a breach occurring.
‘Cyber and the City’ recommends that boards should hold management responsible for cyber risks instead of their IT departments and provides 10 simple questions that management should consider. According to the report, since 95% of all cyber incidents involve human error, people and processes matter as much as technology when it comes to managing cyber threats.
The report further recommends the creation of a City-wide cyber forum to promote collaboration across all firms within the financial and related professional services industry. The forum would seek broader and committed support for cyber management and the many existing initiatives that are running. Its agenda would include encouraging information and best-practice sharing, working on cyber risk aggregation and system recovery and helping to develop a strong UK cyber security sector.
“Cybercrime isn’t a problem of the future, it’s a very real threat today,” said Chris Cummings, chief executive officer (CEO), TheCityUK. “There is no silver-bullet to manage it, but there are practical steps the industry, and the customers we serve, can take to ensure we’re well protected against attack.
“Cyber hygiene should be as commonplace as locking the windows and doors when you leave the house. It is essential for the industry and the continued attractiveness of the UK as a safe place to do business that we tackle this issue head on and make the UK a centre of excellence for cyber security.”
Mark Weil, CEO, Marsh UK & Ireland, added: “Financial services are a high-value target for cyber-crime given their criticality to the economy. In the end, most firms are going to need to spend money on cyber defences. That’s going to make for difficult choices on how much and in what they invest.
“Cyber insurance is an important element of preparedness as it marks to market the nature and size of threats firms face and the best use of their money in defending against them.”
‘Cyber and the City’ provides a series of practical recommendations for individual firms and the wider industry to improve their cyber resilience, working in partnership with government, regulators, supervisors, police an intelligence services. They build on existing initiatives and progress already made in this area and include:
Key recommendations for firms
• Make cyber a standing item on the board or risk committee agenda.
• Ensure cyber risk is a part of strategy, investment cases, acquisition and appraisals.
• Have a broad based team inputting to how cyber risk is managed.
• Monitor cyber readiness against the 10-point cyber checklist.
1. The main cyber threats for the firm have been identified and sized.
2. There is an action plan to improve defence and response to these threats.
3. Data assets are mapped and actions to secure them are clear.
4. Supplier, customer, employee and infrastructure cyber risks are managed.
5. The plan includes independent testing against a recognised framework.
6. The risk appetite statement provides control of cyber concentration risk.
7. Insurance has been tested for its cyber coverage and counter-party risk.
8. Preparations have been made to respond to a successful attack.
9. Cyber insights are being shared and gained from peers.
10. Regular board review material is provided to confirm status on the above
Key recommendations for the industry
• Establish an industry-wide cyber forum to complement existing bodies and initiatives.
• Encourage information and best practice sharing through existing channels like Cybersecurity Information Sharing platform (CiSP).
• Investigate cyber risk aggregation in the financial system, vulnerabilities to widespread attack and recovery from them.
• Encourage support for the UK cyber security sector including apprenticeships, mentoring, access to test facilities and participation in trade events overseas.
• Encourage the consideration of cyber hygiene standards in lending, underwriting and investment decisions to promote cyber security in the wider economy.
By 2030 artificial intelligence will add more than US$15 trillion to the world economy according to the group’s research, but most of that gain will go to North America, Europe and Asia.
Companies are warned that they must improve their resilience, as incidents such as this week’s ‘Petya’-style attack become increasingly common.
A report by the Lloyd’s of London insurance market finds that the sector is second only to financial services as the target of attacks.
The Bank of England calls for UK banks to put aside an extra £11.4bn to deal with any future economic slowdown in its latest financial stability report