A new report published today by TheCityUK and Marsh, a leading global insurance broker and risk adviser, argues that firms across the financial and related professional services industry need to take urgent action on cyber risk.
There were a reported 2.5 million cyber-crimes in the UK last year, the majority of which were various forms of fraud with the loss typically borne by the financial sector. City firms have the data, money and profile to attract the full range of attackers including those seeking to undermine the financial system. Reputation and reliability are shared assets and argue for firms working collectively to reinforce the financial system’s resilience. That will protect services that are critical to the UK economy as well as ensuring that the UK remains a secure global financial centre.
The report – ‘Cyber and the City’ – recognises the significant effort invested by UK authorities to encourage action on cyber risk. It finds that while larger institutions are engaged on cyber security, there is an opportunity for the industry and individual firms to enhance cyber security and resiliency after cyber breaches. Survey evidence from Marsh supports the fact that too few firms are tackling cyber in a cohesive way: only 30% of large firms have it as a top ten risk, only 39% have quantified the risk and just 30% have a response plan to a breach occurring.
‘Cyber and the City’ recommends that Boards should hold management responsible for cyber risks instead of their IT departments and provides ten simple questions that management should consider. According to the report, since 95% of all cyber incidents involve human error, people and processes matter as much as technology when it comes to managing cyber threats.
‘Cyber and the City’ further recommends the creation of a City-wide cyber forum to promote collaboration across all firms within the financial and related professional services industry. The forum would seek broader and committed support for cyber management and the many existing initiatives that are running. Its agenda would include encouraging information and best-practice sharing, working on cyber risk aggregation and system recovery and helping to develop a strong UK cyber security sector.
Chris Cummings, Chief Executive, TheCityUK, said, “Cyber-crime isn’t a problem of the future, it’s a very real threat today. There is no silver-bullet to manage it, but there are practical steps the industry, and the customers we serve, can take to ensure we’re well protected against attack. Cyber hygiene should be as commonplace as locking the windows and doors when you leave the house. It is essential for the industry and the continued attractiveness of the UK as a safe place to do business that we tackle this issue head on and make the UK a centre of excellence for cyber security.”
Mark Weil, CEO, Marsh UK & Ireland, said, “Financial services are a high-value target for cyber-crime given their criticality to the economy. In the end, most firms are going to need to spend money on cyber defences. That’s going to make for difficult choices on how much and in what they invest. Cyber insurance is an important element of preparedness as it marks to market the nature and size of threats firms face and the best use of their money in defending against them.”
‘Cyber and the City’ provides a series of practical recommendations for individual firms and the wider industry to improve their cyber resilience, working in partnership with Government, regulators, supervisors, police an intelligence services. They build on existing initiatives and progress already made in this area, and include:
Key recommendations for firms
- Make cyber a standing item on the Board or risk committee agenda;
- Ensure cyber risk is a part of strategy, investment cases, acquisition and appraisals;
- Have a broad based team inputting to how cyber risk is managed;
- Monitor cyber readiness against the ten-point cyber checklist.
1. The main cyber threats for the firm have been identified and sized
2. There is an action plan to improve defence and response to these threats
3. Data assets are mapped and actions to secure them are clear
4. Supplier, customer, employee and infrastructure cyber risks are being managed
5. The plan includes independent testing against a recognised framework
6. The risk appetite statement provides control of cyber concentration risk
7. Insurance has been tested for its cyber coverage and counter-party risk
8. Preparations have been made to respond to a successful attack
9. Cyber insights are being shared and gained from peers
10.Regular Board review material is provided to confirm status on the above
Key recommendations for the industry
- Establish an industry-wide Cyber Forum to complement existing bodies and initiatives;
- Encourage information and best practice sharing through existing channels like CISP;
- Investigate cyber risk aggregation in the financial system, vulnerabilities to widespread attack and recovery from them;
- Encourage support for the UK cyber security sector including apprenticeships, mentoring, access to test facilities and participation in trade events overseas;
- Encourage the consideration of cyber hygiene standards in lending, underwriting and investment decisions to promote cyber security in the wider economy.