Skip to main content

How Financial Firms can Become More Resilient to Cyber Risk

Cyber incidents are increasing in frequency and sophistication as more assets go on-line and the cost and expertise needed to launch an attack reduces. While attacks on the financial system have not, so far at least, been successful, the potential exists for systemic risk that could destabilise the entire system if an event were to occur.

It is important for firms to categorise the different cyber threats and consequences to pin-point different responses. Cyber risk can be defined as “any risk of financial loss, disruption or damage to reputation from some form of failure of information technology systems”.1

Broadly, cyber attacks can be categorised into three groups:

  • Fraud – The majority of cyber incidents today can be classed as “fraud”, which includes attempts at extortion, identity theft, and other crimes targeting individual customers or employees.
  • Firm take down – This includes large-scale data theft, system disruption, and damage, in which a particular firm is targeted for personal or political reasons.
  • System failure – This covers an incident affecting multiple institutions. For example, a concerted attack on several firms, the failure of the payments system, or a failure of the national infrastructure that the financial sector relies on.

Marsh’s report, Cyber and the City: Making the UK Financial and Professional Services Sector More Resilient to Cyber Attack recommends that boards conduct regular reviews to ensure that management has taken ownership of the cyber threat.

This should ensure that cyber risk is seen as part of business leaders’ role and is addressed in a wide range of contexts and will widen the functional engagement in cyber risk management from the chief information officer or chief information security officer to business unit leaders, HR, risk, finance, legal, and others.

To encourage such action, organisations should put the following 10-point checklist in place in their own firms.

  • The main cyber threats for the firm have been identified and sized.
  • There is an action plan to improve defence and response to these threats.
  • Data assets are mapped and actions to secure them are clear.
  • Supplier, customer, employee, and infrastructure cyber risks are being managed.
  • The plan includes independent testing against a recognised framework.
  • The risk appetite statement provides control of cyber concentration risk.
  • Insurance has been tested for its cyber coverage and counter-party risk.
  • Preparations have been made to respond to a successful attack.
  • Cyber insights are being shared and gained from peers.
  • Regular board review material is provided to confirm status on the above.

[1] Cyber Risk: Resources for Practitioners, Institute of Risk Management, 2014.

Related insights