Firms across the financial and related professional services industry need to take urgent action on their cyber risks, which present a “real and present danger” to the financial system, according to a new report published by TheCityUK and Marsh.
Only a few UK firms are tackling cyber in a cohesive way, despite its potential as a systemic risk that could render bank systems or data unusable, indicated the report titled “Cyber and the City – Making the UK financial and professional services sector more resilient to cyber attack.”
Survey evidence from Marsh shows that only 30 percent of large firms have it as one of their top 10 risks, only 39 percent have quantified their cyber exposure and just 30 percent have a comprehensive cyber incident response plan.
The report revealed that 2.5 million cyber crimes were reported in the UK last year, most of which were various forms of fraud with the loss typically borne by the financial sector.
“At the same time, the actual annual cost of cyber attacks for large organizations have been estimated at £1.5 million [$2.2 million] to £3 million [$4.4 million],” said the report. It noted that these figures are likely to understate the real cost, in part because there is a lack of willingness to admit to a loss and also because there are wider costs related to the clean-up required after attacks.
“City firms have the data, money and profile to attract the full range of attackers including those seeking to undermine the financial system,” said a summary of the report issued by Marsh and The CityUK, a London-based group that promotes the UK financial services sector.
“While few firms of size have so far failed because of such an attack…, the costs and consequences for reputation can nevertheless be severe and it is within the bounds of plausibility that a financial firm – critically reliant on customer confidence – might fail were it to suffer a large or repeated set of such attacks,” the report cautioned.
As a result, firms need to work collectively to reinforce the financial system’s resilience in order to protect services that are critical to the UK economy as well as ensuring that the UK remains a secure global financial center, the report said.
“Technology is now so critical to financial firms that the opportunities and risks it brings need to be central to the running of the firm,” said Mark Weil, CEO, Marsh UK & Ireland in a forward for the report. (Weil is also chair of TheCityUK Cyber Taskforce).
“Cyber crime is a real and present danger and financial institutions are on the front line,” said TheCityUK Chairman John McFarlane, who is also chairman of Barclays. “We in the financial and related professional services sector need to act with the urgency of knowing that a large, systemic risk is upon us.”
Recommendations
“Cyber and the City” recommends that boards should hold management responsible for cyber risks instead of their IT departments. Since 95 percent of all cyber incidents involve human error, the report noted, people and processes matter as much as technology when it comes to managing cyber threats.
“The good news is that cyber risk lends itself to board governance in the same way as any other risk,” the report continued.
Management Buy-In
“We recommend that boards conduct regular reviews to ensure that management has taken ownership of the cyber threat,” it said. “That should ensure that cyber risk is seen as part of business leaders’ role and is addressed in a wide range of contexts, such as strategy, acquisitions and appraisals.”
The report suggested that by taking this path, the board would widen engagement in cyber risk management from the chief information officer to include business unit leaders, human resources, risk, finance, legal and others.
The report provides a 10 point check list for boards to get their managements to address:
- The main cyber threats for the firm have been identified and sized
- There is an action plan to improve defense and response to these threats
- Data assets are mapped and actions to secure them are clear
- Supplier, customer, employee and infrastructure cyber risks are being managed
- The plan includes independent testing against a recognized framework
- The risk appetite statement provides control of cyber concentration risk
- Insurance has been tested for its cyber coverage and counter-party risk
- Preparations have been made to respond to a successful attack
- Cyber insights are being shared and gained from peers
- Regular board review material is provided to confirm status on the above.
Cyber Forum
The “Cyber and the City” report further recommends the creation of a City of London cyber forum to promote collaboration across all firms within the financial and related professional services industry, while interfacing with government initiatives.
“The forum would seek broader and committed support for cyber management and the many existing initiatives that are running. Its agenda would include encouraging information and best-practice sharing, working on cyber risk aggregation and system recovery and helping to develop a strong UK cyber security sector,” said the summary.
“Cyber hygiene should be as commonplace as locking the windows and doors when you leave the house. It is essential for the industry and the continued attractiveness of the UK as a safe place to do business that we tackle this issue head on and make the UK a center of excellence for cyber security,” according to Chris Cummings, chief executive, TheCityUK, in a statement.
“There is no silver-bullet to manage it, but there are practical steps the industry, and the customers we serve, can take to ensure we’re well protected against attack,” Cummings added.
Source: TheCityUK and Marsh