Is the cybersecurity threat real?

Some of us may even have been affected directly, either working in a company that has been a target, or having had our own data hacked and made public.

Companies including Equifax and Uber have been the high-profile victims of data breaches, while even public sector organisations, such as the NHS have fallen victim to hacking.

But is the cybersecurity threat real?

Surely, these companies simply were not prepared enough for such incidents and had not invested in the right systems. 

But perhaps what this shows is that if it can happen to large companies and corporates, then the chances are it can affect a business of any size, including small financial planning firms.

Data loss

“The threat is real, and an attack should be considered to be inevitable at some point; only the extent, the seriousness of the disruption, and the reputational risk are variables,” warns Mark Ehlinger, head of regulatory and professionalism services at Focus Solutions.

Figures from the Financial Conduct Authority (FCA) show reported data hacking attacks against financial services companies quadrupled in the past year, according to RSM.

RSM obtained the figures from a Freedom of Information request and reported them in February 2018.

It reveals incidents of loss of data resulting from hacking rose from four in 2016 to 17 in 2017 and there were also two separate incidents of ‘data leakage’ reported to the regulator.

The retail banking sector suffered the highest number of reported attacks at 17 last year, followed by retail lenders at 16 and investment management firms, also at 16 and there were a further 11 incidents reported to the FCA by insurance firms.

Source: FCA/RSM

Steve Snaith, technology risk assurance partner at RSM says: “We have previously raised concerns that there is likely to be significant under-reporting of cyber attacks by regulated financial services firms. Nevertheless, these new numbers do reveal some important trends.

“The jump in incidents of data loss resulting from hacking attacks should be particularly concerning to the financial services sector, given we are just months away from the new GDPR regime coming into force.”

Where any data is held, a cybersecurity threat is real, Steve Casey, marketing director at Square Health notes, and that includes financial adviser firms.

“A financial planning firm could hold all types of data, including possibly medical data in the form of a copy of an application form, so an obvious example would be to steal this data and then publish this on the web,” he explains.

If adviser and financial planner firms are not concerned about the threat, then they should be and GDPR is the perfect opportunity to demonstrate they are doing something about it.

Jon Szehofner, observes that risk managers are worried about cybersecurity and for good reason.

“We only need to look to Risk.net, which has ranked cyber and data security risk as the top operational risk for the last two years (as part of its annual survey with risk managers in financial services).”

He continues: “The threat from cyber attacks is not only growing, but also evolving into new and sophisticated forms. From the Bangladesh Bank heist – which saw hackers exploit vulnerabilities in the Swift financial communications network to steal $81m from accounts belonging to the central bank; to the theft of £2.5m from 9,000 Tesco Bank customers' accounts following a data breach.” 

Those numbers are enormous and certainly make real the threat to firms from cyber attacks. 

Following a cyber incident, one of the first questions which the Information Commissioner’s Office will ask will be to see the log of employee training on data security.Mark Ehlinger

But what about the punishment?

As Mr Szehofner points out: “If the reputational damage alone weren't enough to spur firms into action, the threat of action from regulators for firms whose cyber resiliency isn't up to scratch probably will be.”

"Training, and awareness of the risks and safeguards which the business faces, through complacency, or apathy, or arising from poor morale, are not to be underestimated,” suggests Mr Ehlinger.

“Delinquency in this area is not preparing effectively, or complacency. 

“Following a cyber incident, one of the first questions which the Information Commissioner’s Office will ask will be to see the log of employee training on data security and EU GDPR matters. If none exists, the dialogue with the Commissioner may be unexpectedly brief.”

Mr Ehlinger cautions that smaller businesses are often not prepared to tackle these types of threats due to limited technical knowledge, ageing technology infrastructure and inadequate data control processes.

The cost of protecting data

Given that GDPR will likely require many firms to upgrade their technology, they should be in a better position to prevent a hack or attack, and if they do become victim, limit the damage done.

Ruaraidh Thomas, managing director of applied analytics at DST Systems, quotes Data IQ, which estimates the average investment being made by each firm in the UK in GDPR is £1.3m. 

But the cost of failing to comply could be far more, and the costs associated with a cyber attack or hack could also exceed that.

Understanding the financial risk of an attack on a business is important, as Mr Snaith sets out.

“Cybersecurity continues to be a primary challenge for organisations,” he admits.

“The risk can be monetised for financial planning organisations to some extent. There are many examples of quoted financial loss values relating to cyber-attacks.”

But he adds: “Our view is that many of these values are inaccurate, at times overstated and not fundamentally based on sound cost estimation models. 

“At the same time, we consider valuing cyber risk to be a useful exercise to inform your corporate governance framework and cyber control environment.” 

He suggests such valuation metrics can include consideration of:

• Assessment of individual business processes, the value of these processes, the percentage of turnover and the risk of each (based on transaction value and volume); and
• Cyber loss business impact assessment for each business process/unit, based on a range of factors including: value of lost transactions, legislative penalties and business demand impact through reputational loss.

Mr Snaith concludes: “The risks to data, systems and business operations are real and the methods of cyber-attack are evolving dramatically.”

eleanor.duncan@ft.com