Skip to main content
Article

Cyber security: a priority for businesses

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

By Joanne Cracknell | September 9, 2020

This article provides insight into how businesses can best manage their cyber security to prevent attacks and also manage them should they occur.

The threat of a cyber security incident continues to be a priority risk for businesses with cyber criminals increasingly taking advantage of the opportunities presented by the exponential advances in IT infrastructure and businesses dependency upon the use of technology. In its recent whitepaper, UK Finance, a leading industry body for banking and financing, has included cyber security as a Tier 1 threat alongside terrorism, war and natural disasters1.

Cyber security should be an integral feature of all businesses strategies, objectives and budgets regardless of their sector and size. Necessary steps must be taken by businesses to minimise exposure from cyber attacks especially as such incidents are becoming increasingly sophisticated. It is important therefore that businesses have implemented sound and robust cyber security incident response policies and procedures. Everyone within the business, including stakeholders, should be aware of the threat of a cyber security incident and its impact, as well as understanding the protocols to be followed should a cyber security breach occur, such as containment and prevention of subsequent incidents. This is more important than ever as a result of the coronavirus pandemic (COVID-19), with cyber criminals seeking to exploit businesses who may be experiencing increased cyber related challenges in response to the virus by working remotely, or operating a hybrid structure with some members returning to the office and some continuing to work from home as lockdown restrictions ease.

The FCA expects the businesses it regulates to be aware of cyber security risks and become more resilient to cyber attacks, whilst protecting consumers and maintaining market integrity.

Firms of all sizes need to develop a security culture and manage such risks in accordance with the requirements of the FCA Handbook2. Businesses may find themselves facing difficult questions from their regulator, the Information Commissioner’s Office (ICO) and/or their professional indemnity insurers in the event that a cyber security incident occurs and preventative measures are considered to be inadequate.

Assessing and Identifying the Risk

Businesses need to assess, identify and monitor any risks and vulnerabilities to key assets and services so that they can be properly managed and appropriate controls can be implemented. Furthermore, it is a regulatory requirement as Principle 3 of the Principles for Businesses provides that businesses “must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems"2. However, the FCA appreciates that there is no one size fits all approach to managing cyber security risks, and accepts that businesses will need to interpret the risks in a way that is relevant and appropriate to the size and nature of their business.

Responding to a Cyber Security Incident

It is recommended that businesses devise a cyber security response strategy to establish systems and controls to protect a business from a cyber attack or any other type of cyber security incident, including a designated person (or persons) responsible for conducting and maintaining the cyber security incident plan, risk assessments and invoking the plan in the event of an incident occurring.

The strategy should be endorsed and supported by senior management/board members which in turn will develop a cyber security culture. Cyber security risk is as significant as any other critical strategic, operational, financial and compliance risk that senior management/board members need to consider when operating their businesses.

As part of the assessment and devising a cyber security response strategy, businesses need to identify its key assets and essential services and any vulnerabilities or risks to those assets and services.

Furthermore, they will need to consider the potential impact a cyber security incident may have on their customers, for instance, disruption to services or the potential loss of their data. Businesses also need to factor in how they will support and reassure their customers in the event of a cyber related incident.

Considering this information will help businesses determine what should be included within their cyber security response strategy, such as what level of technical support thye require, do they have sufficient in-house expertise or do they need to engage the services of experts, and/or recruit specialist teams to be able to support their custmers should an incident occur.

The financial and structural implications of a cyber security incident should also be considered as part of a business’ cyber security response strategy. If systems go down this may cause a significant disruption to the running of the business and the service provided to customers, and consequently, businesses may suffer a loss in revenue, not to mention possible reputational damage.

Be Prepared

The consequences of a cyber security incident can be significant. It may result in the disclosure of confidential and sensitive information about clients or the business including staff, theft of monies, damage to IT infrastructure and as mentioned above, reputational damage. Therefore, simply maintaining effective cyber security measures is no longer sufficient; it has become a critical business requirement.

The time and cost incurred dealing with a cyber security breach can be substantial which may result in the potential loss of revenue, that in turn may cause financial instability and closure. Therefore, preparation is key.

It is essential that any cyber security response plan is tested regularly to ensure its efficacy. This can be achieved by planning and running plausible disruption scenarios. Doing so will ensure minimal disruption to the business and service to customers should a real time incident occur. It is recommended that real life scenarios are walked through, as any findings can be factored into the cyber security response strategy, so that lessons learned can be identified and acted upon. Any revisions to the processes and procedures should be communicated to all staff, and if necessary, training provided.

Furthermore, if you rely on services provided by third parties, this needs to be incorporated into the plan including details of those parties, their roles and the escalation/cascade process.

As mentioned above, education and awareness of cyber security risk is of paramount importance as often staff are the route in for cyber attackers. Many cyber security breaches arise as a result of human error. The training must be tailored accordingly so that it is relevant to individual teams or staff members, depending on their role within the business.

The frequency of the training will be a business decision. However, it is recommended that training is provided on a regular basis and should form part of the induction process for new members of staff. Refresher training is always helpful especially in the current environment with many members of staff working remotely as a result of COVID-19 and the increased threat of cyber attacks. It is suggested that all members of staff should be able to identify a phishing email, and know not to click on links or attachments from untrusted sources, and be familiar with the business’s reporting lines should an incident arise.

Reporting Obligations

It is not just members of staff that have an obligation to report cyber security incident. Stakeholders must also understand their reporting responsibilities in the event of a cyber security breach as they will need to be involved in any external reporting. Principle 11 of the Principles for Businesses provides that businesses must “deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice”2.

Firms must report material cyber incidents to the FCA in accordance with Principle 11 of the FCA Handbook3. In addition, firms have a duty to report personal data breaches which adversely affect an individual’s rights and freedoms to the ICO within 72 hours of becoming aware of the breach4. The ICO has the power to impose fines of up to €20 million or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors5. The ICO has issued robust fines over the last two years in respect of a number of high profile data breaches.

Cyber Insurance

The UK Finance whitepaper highlights the importance of purchasing cyber liability insurance as part of a business’ cyber security risk management measures. It is accepted that each business will need to make a risk-based decision as to whether cyber insurance is necessary.

Businesses should carefully consider the policies that are available to them and select the insurance policy that is most appropriate for their business and their situation. The aim of cyber insurance is to help businesses minimise disruption should a cyber security incident occur, manage any incidents such as a phishing attack or a data breach which may require in-depth technical expertise and offer financial protection during an incident.

The National Cyber Security Centre (NCSC) has recently issued some helpful guidance on purchasing cyber insurance6. However, the NCSC guidance stresses that purchasing cyber insurance will not prevent a cyber security incident from occurring. Therefore, businesses will be expected to have measures in place to minimise the risk of a cyber security incident occurring. However, purchasing cyber insurance can offer businesses peace of mind and access to specialist teams to help deal with a cyber security incident on their behalf, as well as demonstrating to regulators their commitment to cyber security.

Footnotes

1 UK Finance. (2020). Incident Management Cyber Incident Response - Is Your Firm Ready? Retrieved from https://www.ukfinance.org.uk/system/files/Incident-Management-Whitepaper_FINAL.pdf

2 Principles for business: https://www.handbook.fca.org.uk/handbook/PRIN/2/1.html

3 Financial Conduct Authority. (2019). Cyber Resilience. Retrieved from the Financial Conduct Authority’s website: https://www.fca.org.uk/firms/cyber-resilience

4 Information Commissioner’s Office. (2020). Retrieved from the Information Commissioner’s Office website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

5 Information Commissioner’s Office. (2020). Retrieved from the Information Commissioner’s Office website: https://ico.org.uk/for-organisations/guide-to-eidas/enforcement/

6 National Cyber Security Centre. (2020). Cyber insurance guidance. Retrieved from https://www.ncsc.gov.uk/guidance/cyber-insurance-guidance

Author

Associate Director - Finex PI UK Legal Services

Contact Us

Related Capabilities