Sam Turner: Is your organisation ready for a cyber-attack?

Cyber-attacks against FCA-regulated bodies have grown more than 15-fold in three years. Is your firm prepared for a hack attack asks Altus consultant Sam Turner

Imagine yourself as the widely stereotyped hacker. The spotty teenager sat in the basement, sipping from an oversized energy drink tin whilst pondering your next opportunity to devour some highly sensitive, personal information. Imagine one of your hacker friends alerts you to the hacking opportunity of a lifetime – a sector which manages trillions of pounds of assets, holds the most personal of customer information on file, and is widely renowned for constantly playing catch-up where all things technology are concerned. Only the stereotyped hacker doesn’t exist. Cyber criminals have evolved to such a state of organisational sophistication that entire departments are dedicated to R&D and it certainly wouldn’t take much of the R before the UK’s wealth management industry revealed itself as an appealing target.

Considering recent evidence that cyber criminals are willing to target beloved institutions such as the NHS & Disney, I should think we in financial services should consider keeping our guard up.

Can UK platforms – not to mention adviser firms or discretionary managers – boast a defence capable of keeping pace with the assailants? Attacks exceeding 1.5tb per second are now entirely feasible, botnets – infected groups of personal computers controlled without the owners knowledge to spread malicious software – are able to be formed using Smart TVs, fridges, and routers, while the number of ransomware cases emerging continues to rise. All of this becomes more of a risk as providers continue to launch D2C propositions without the information security systems, experience or focus of their peers in the banking industry.

Although no notable example of market impact or customer detriment has yet come to public attention, the number of cyber-attacks on FCA-regulated firms continues to increase. The regulator reported 5 such attacks in 2014, 27 in 2015 and 89 in 2016. A worrying trend which cannot solely be addressed through the standard regulatory process (although GDPR’s introduction next year will help). The fast-moving nature of the cyber security environment requires a more agile strategy.

What does this look like? Thankfully some of the most effective mechanisms available don’t require 50,000 hours coding experience nor vast financial expense. Cyber security is not simply an IT issue. Board level leadership is required in fostering a culture that reaches beyond the obligatory 2 hour annual presentation or common-sense based online data-protection quiz. Employees should be encouraged to not only make secure decisions, but adopt a cautious mind-set where information and data security are concerned. Many firms now introduce fake phishing scams to heighten awareness and ensure that cyber security is at the forefront of their employee’s minds for more than 2 hours a year.

TR16/1 and the increased regulatory scrutiny on adviser due diligence processes, should encourage the extension of such exercises to address the cyber security of not only product providers, but the third-party systems with which they’re associated. Similarly, in the current “cloudy” climate of outsourcing arrangements, providers should be mindful that whilst you can outsource certain functions be they systems, admin, or cloud related and enjoy the benefits that this may bring, you cannot outsource your responsibility for cyber security.

In fulfilling this responsibility, both internal and third party systems need to be thoroughly tested, robust business continuity procedures introduced and governance structures reviewed. The government’s cyber essentials scheme is designed to increase cyber resilience and can be slotted into a company’s risk assessment programme, which when combined with supplementary cyber security expertise should raise the bar for any would be attacker.

Finally, whilst many firms may consider themselves prepared, the interconnected nature of financial services requires a truly collaborative approach to information sharing and talent development in guaranteeing investor data remains protected and the emerging trust between our industry and its customers continues to grow.

…..The cyber threat may be high but the cost of mitigating much of this can be relatively low.