'We are all at risk' from cyber, conference told
Worry of financial firms shown by increasing demand for cyber liability insurance
The threat to financial institutions from cyber crime is real and growing, said James Phipson, a director in the City of London Police's economic crime directorate, speaking at a conference in London on January 28.
"We are all at risk. Cyber criminals are getting more and more sophisticated," he warned delegates at the Wealth Management Association's Financial Crime Conference.
Due to the increasing risk posed by cyber crime, the City of London Police is among authorities urging financial institutions to identify and address areas of vulnerability within their organisations, including by building fraud protection into both new and existing processes and systems.
Phipson said a new approach to cyber threats was needed, with a greater emphasis on prevention. That would involve an increasing level of partnership between the financial industry and law enforcement agencies. "Prevention is about seeing patterns; it's about identifying the sources of these crimes, and being able to disrupt them before they happen," he said.
All companies need to share information and report suspicious transactions, Phipson added, although he acknowledged this could be particularly challenging for larger firms with a higher number of clients. "They have KYC [know-your-customer] controls and are ticking the boxes, but they don't actually know the people they are dealing with, and that is the biggest piece of prevention."
Other speakers at the conference pointed to the steps financial firms could take to manage their cyber risk. Christopher Burgess, cyber and professional indemnity team manager at New York-based insurer AIG, said the firm had seen a surge of new enquiries for cyber liability insurance in the fourth quarter of 2015.
"There was a huge increase at the tail end of last year," he said. "Financially regulated firms and telecommunications firms have been the areas where we've seen the biggest number of enquiries."
Burgess believed much of the increase had come as a result of the hacking of UK-based telecoms firm TalkTalk in October last year. The cyber attack caused a major loss of customer data and triggered a wave of negative publicity. In November, the company estimated the costs of the data breach at £30–£35 million ($43–$50 million).
Typically, firms use cyber liability insurance to complement their existing risk management, business continuity and disaster recovery plans. First-party cyber insurance usually covers the cost of post-breach responses such as IT forensics, legal assistance, data restoration, public relations advice, notification, and subsequent credit and IT monitoring.
Burgess said common challenges faced by firms in the wake of a cyber attack included untested incident response teams who didn't know how to work together, stalled decision-making and useless business continuity plans that were often "thick as a bible and sit on a shelf collecting dust". In his view, the best business continuity plans were shorter and simpler, with just a few tailored pages of instructions.
The most frequently reported cyber crimes are low-level incidents such as theft of credit card details or use of phishing attacks to steal client information. But Burgess said it was the impact of high severity hacks and significant denial of service attacks that was of most concern to companies.
"Their reputation being shot to pieces – that's the number one thing on my clients' lips when I speak to them," said Burgess. "That's the thing they're worried about."
The heightened interest in cyber liability insurance among financial firms coincides with concerns over data protection laws and heightened regulatory scrutiny of firms' systems and controls, he noted.
In December 2015, the European Parliament, European Council and European Commission reached agreement on the first ever piece of European Union legislation addressing cyber security. Under the EU Network and Information Security Directive – the final text of which must still be approved – firms operating in industries such as energy, transport, banking, health and water supply would be required to prove they have appropriate cyber security measures in place. The legislation would also require the mandatory reporting of cyber security breaches.
In the US, the Financial Industry Regulatory Authority (Finra) has said cyber security will be a focus for its supervision this year. The self-regulatory organisation plans to carry out reviews on firms' cyber security governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training during 2016.
"Given the evolving nature of cyber threats, this issue requires firms' ongoing attention. While many firms have improved their cyber security defences, others have not – or their enhancements have been inadequate," Finra said in its annual regulatory and examination priorities letter on January 5.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Operational risk
Integrated GRC solutions 2024: market update and vendor landscape
In the face of persistent digitisation challenges and the attendant transformation in business practices, many firms have been struggling to maintain governance and business continuity
Vendor spotlight: Dixtior AML transaction monitoring solutions
The Chartis Research report, AML transaction monitoring solutions, considers how, by working together, financial institutions, vendors and regulators can create more effective anti-money laundering (AML) systems.
Financial crime and compliance50 2024
The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector
Automating regulatory compliance and reporting
Flaws in the regulation of the banking sector have been addressed initially by Basel III, implemented last year. Financial institutions can comply with capital and liquidity requirements in a natively integrated yet modular environment by utilising…
Investment banks: the future of risk control
This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control
Op risk outlook 2022: the legal perspective
Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…
Emerging trends in op risk
Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…
Moving targets: the new rules of conduct risk
How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…