This article was written by Ian Hargreaves (partner) and Robert Bolgar-Smith (associate).
"In the 2007 credit crisis – a once in-a-generation event – not one UK bank failed thanks to the simple, fast-acting remedies of cash and capital injection. In contrast, a large-scale cyber attack that renders bank systems or data unusable has no such quick fix for a finance minister or central banker to deploy" - Mark Weil, Chair of TheCityUK Cyber Taskforce.
Cybersecurity continues to create headlines and its importance has never before been appreciated as much as it is now in the board meetings of companies of all sizes, sectors and jurisdictions. There remain, however, a number of companies who still see cybersecurity as an IT issue – this is incorrect and should be a cause of concern for their stakeholders, including shareholders, employees and customers.
TheCityUK, an industry body focussed on the UK financial and related services industry, and Marsh, a leading insurance brokering and risk management firm, recently launched their “Cyber and the City” report which seeks to appraise the current risks facing the financial services industry and to put forward recommendations (available here). While cybersecurity is a concern for companies of all sizes, the financial sector attracts additional attention due to (a) the prevalence of money and sensitive data, (b) public profile and (c) to the economy, which are the focus of criminals, “hacktivists” and terrorists/hostile states respectively.
"50% of CEOs believe that they have insurance cover for cyber attack … policy analysis suggests that only 10% do" - Cyber and the City Report
The “Cyber and the City" report provides a number of recommendations for both individual firms and for the financial sector as a whole which we would advise reviewing. In particular, the report emphasises the need for companies to share details of cyber incidents and best practices across the industry. At present, due in part to PR concerns, companies tend to refuse to talk openly about their concerns, current practices and any cyber incidents they have suffered. This is of significant assistance to cyber criminals of all stripes since it allows them to continue exploiting weaknesses which could otherwise have been patched.
The report also focuses on the need for individual companies to consider the cyber risk from a broad range of perspectives including their HR, business and management teams. First, they need to be aware of what data they hold, who has access to it and what the risks are – this includes data which could be stolen but also data which is critical to the company's business and could be corrupted or encrypted (i.e. by ransomware). Secondly, they need to implement policies to improve their defences, including training their employees on how to recognise threats. Finally, companies need to prepare and practice incident recovery plans – how would you respond if all your customer data was leaked? Would you pay a ransom if all your company’s files were irrecoverably encrypted?
Cyber threats, and the companies that face them, are ever changing. Companies’ cyber policies and incident response plans need to be dynamic and regularly updated. Software needs to be patched. New employees and contractors need to be trained. We can work with companies and their service providers to assess potential risks and prepare, implement and practice incident recovery plans to mitigate the risks of a cybersecurity breach.