By Andrew Ducat, Head of Client Services at Baronsmead LLP
Over the past decade, the financial sector has increased its reliance upon technology at an incredible rate. In contemporary business, the processes and interactions undertaken by investors, managers and between institutions are almost unrecognisable from even five or ten years ago. Whilst such technology continues to become more proficient, the threats and security considerations that must be confronted by firms also do, such threats can be both large and small.
A single breach of cyber security can have a devastating impact, and cost organisations thousands, if not millions of pounds, while larger incidents have the ability to alter entire markets. This is something both governing bodies and individual firms are becoming more aware of, with pre-emptive measures being undertaken to combat potential attacks.
Examples of such a threat can be found across Europe, with hackers staging high profile attacks on some of the continent’s largest institutions. For example, the 2012 ‘Eurograbber’ campaign, through which a group of hackers stole $36 million from banks in Italy, Germany, Spain and The Netherlands. Perhaps a testament to their high-tech methods, not a single member of the group has been identified. This followed an attack earlier in the same year, dubbed ‘Operation High Roller’, during which attackers based in Russia and Albania managed to steal from Banks across Europe, before targeting the U.S, eventually siphoning $78 million from bank accounts.
The U.K’s Business Secretary recently voiced his concerns at the countries perceived vulnerability to such crimes, with similar issues raised by the German Minister of Internal Affairs, Thomas de Maizière.
Whilst such incidents can often seem a daunting prospect, the threat can be managed, and it is possible to identify ‘cyber threats’. It is useful to remind ourselves that no one owns the internet, and interaction on such a large scale is difficult to regulate or monitor. Whilst we can recognise this lack of accountability, in general we continue to we continue to input some of our most vital data into these systems. Studies suggest that often we have a limited understanding of the technical and security proficiencies of such systems, but view them as safe due to the reputations and scale of the companies behind them.
The Bank of England recently conducted the Waking Shark 11 cyber exercise, the purpose of which was an examination of the ‘preparedness’ amongst large financial institutions.
A number of the key observations from the exercise included a lack of central coordination for financial sector information sharing. There were also issues with the process for communication with regulators relating to cyber events requires clarification. As such, there remain challenges in understanding how a cyber attack and/or service outage would impact business transaction flow
Such findings will be of concern to a range of firms throughout the U.K and across Europe. In order to address such concerns, it is important to identify the underlying problem.
It is not this gathering and submission of personal information that is the problem, it is the misuse and misappropriation of such details that represent a genuine danger. Such data is often commercially and personally confidential, and as such is privy to regulatory and legislative security. However, when the equipment or system that stores such information is accessed by an individual, group or programme that is unauthorised, the underlying risks are the same. The systems financial institutions use to store data are often outsourced to third parties, who will in turn focus on their design, installation and management.
As the scale of the operation expands, so does the number of risks associated with the on-going process. This is mainly due to an increased scope for human error, and indeed the human aspect is often viewed as the weakest in the technological chain.
This risk, and the associated threat, is manageable through effective and efficient processes and increased security measures. The first, and perhaps most important, step is recognition and quantification of the threat. Large financial institutions are often perceived to be ‘unaware’ or ‘naïve’ to the complexities and vulnerabilities of their systems.
Once these risks have been articulated and qualified, it is possible to challenge the system’s integrity, and in doing so assess its strengths and weaknesses with regards to security. This will involve analysis of all connections and third parties involved, which can often be carried out by a third party specialist. Once such exposures have been highlighted, it is possible to mitigate the threat and consider risk transfer and insurance options. It is worth noting that insurance options are available to cover cyber risks and crimes, across a variety of products, each specific to a certain aspect of cyber crime.
Firms that have already invested in Professional Indemnity, Crime and Property insurances can find elements of third party liability and first party cyber cover within them. The extent to which this meets the buyers’ requirements can be considered as part of an overall analysis of cyber exposures.
Companies wishing to consider more bespoke insurance may deem it necessary to undertake independent analysis prior to committing to the underwriting process.
|