A new report published by TheCityUK and Marsh argues that firms across the UK financial and related professional services industry need to take urgent action on cyber risk.
There were a reported 2.5 million cyber crimes in the UK last year, the majority of which were various forms of fraud with the loss typically borne by the financial sector. City firms have the data, money and profile to attract the full range of attackers including those seeking to undermine the financial system. Reputation and reliability are shared assets and argue for firms working collectively to reinforce the financial system’s resilience. That will protect services that are critical to the UK economy as well as ensuring that the UK remains a secure global financial centre.
The report – ‘Cyber and the City’ – recognises the significant effort invested by UK authorities to encourage action on cyber risk. It finds that while larger institutions are engaged on cyber security, there is an opportunity for the industry and individual firms to enhance cyber security and resiliency after cyber breaches. Survey evidence from Marsh supports the fact that too few firms are tackling cyber in a cohesive way: only 30 percent of large firms have it as a top ten risk, only 39 percent have quantified the risk and just 30 percent have a response plan to a breach occurring.
‘Cyber and the City’ recommends that Boards should hold management responsible for cyber risks instead of their IT departments and provides ten simple questions that management should consider. According to the report, since 95 percent of all cyber incidents involve human error, people and processes matter as much as technology when it comes to managing cyber threats.
‘Cyber and the City’ further recommends the creation of a City-wide cyber forum to promote collaboration across all firms within the financial and related professional services industry. The forum would seek broader and committed support for cyber management and the many existing initiatives that are running. Its agenda would include encouraging information and best-practice sharing, working on cyber risk aggregation and system recovery and helping to develop a strong UK cyber security sector.
‘Cyber and the City’ provides a series of practical recommendations for individual firms and the wider industry to improve their cyber resilience, working in partnership with Government, regulators, supervisors, police an intelligence services. They build on existing initiatives and progress already made in this area, and include:
Key recommendations for firms
- Make cyber a standing item on the Board or risk committee agenda;
- Ensure cyber risk is a part of strategy, investment cases, acquisition and appraisals;
- Have a broad based team inputting to how cyber risk is managed;
- Monitor cyber readiness against a ten-point cyber checklist:
- The main cyber threats for the firm have been identified and sized
- There is an action plan to improve defence and response to these threats
- Data assets are mapped and actions to secure them are clear
- Supplier, customer, employee and infrastructure cyber risks are being managed
- The plan includes independent testing against a recognised framework
- The risk appetite statement provides control of cyber concentration risk
- Insurance has been tested for its cyber coverage and counter-party risk
- Preparations have been made to respond to a successful attack
- Cyber insights are being shared and gained from peers
- Regular Board review material is provided to confirm status on the above
Key recommendations for the industry
- Establish an industry-wide Cyber Forum to complement existing bodies and initiatives;
- Encourage information and best practice sharing through existing channels like CISP;
- Investigate cyber risk aggregation in the financial system, vulnerabilities to widespread attack and recovery from them;
- Encourage support for the UK cyber security sector including apprenticeships, mentoring, access to test facilities and participation in trade events overseas;
- Encourage the consideration of cyber hygiene standards in lending, underwriting and investment decisions to promote cyber security in the wider economy.