Board checklist issued to improve cyber-security, data sharing advocated
Lobban urges banks to share attack data
In less than a decade cyber-security has moved from a niche technical discipline to a Tier One threat to national infrastructure, delegates were told earlier today at the launch of the CityUK's Cyber Taskforce report, 'Cyber and the City; making the UK's financial and related professional services industry safe from cyber attacks'.
A main theme at the launch was making the whole issue of ‘cyber-hygiene' pervasive in society, a key issue on all board meeting agendas, and an issue for all managers, not just those dealing with technology – with Human Resources particularly taken to task in those cases where they had assumed it was not an issue for them, despite people and insider threats being a primary threat. Cyber-risks can now bring a company down, and even have severe impacts on the economy as Estonia discovered in a past attack, widely believed to have come from Russia. And in this context, London's financial sector was heavily represented at the event, including insurance, as well as legal organisations.
Sir Iain Lobban, former head of Government Communication Headquarters (GCHQ) emphasised that the critical areas to be considered by organisations can be summed up as CIA – Confidentiality of data – and the consequences of theft and publicising of confidential information; Integrity of data – and the potential consequences of that data being tampered with and changed; and Availability – what happens if you can't get the information you need when you need it.
Following the main presentation Lobban commented to SCMagazineUK.com on the need for banks to share information on attacks: “In a domain where the attackers have obviously got an advantage – they are in your system – the defenders have to make the most of the advantages that they've got, and sharing their view of what is going on within their organisation is going to give them a much more holistic view of what's going on. They can anticipate threats because they see what's happening in a different organisation, or even in a different sector. Its a mistake to think about these attacks as being simply sector-specific. Different groups adapt and then adopt the methods used by other attackers. There is plenty of reverse engineering going on out there so as soon as a new modus operandi is seen, a new technique; the sooner organisations can then share knowledge about that technique and start to work together to build up some sort of mitigation towards it, the better.”
Regarding how to do that sharing without giving away competitive advantage, Lobban added, “CISPs are definitely part of the answer. Personally I think there is scope for other sharing bodies. This is not a competitive issue, this is something whereby its ‘one for all and all for one.' Its an area where the specialist knowledge required to defeat an attack – not just to discover it – is highly unlikely to be found within a single organisation, so we need organisations to work together to do that. One of the things we therefore need is for organisations and the individuals within them to feel motivated to share what is going on. Not to be castigated about it. So while regulation is important to get the attention of key stakeholders, what we need is for people to be able to feel they can share (this information) without fear of penalty.”
The report also noted that while half of CEOS think they are covered by cyber-insurance, only 10 percent actually are. SC asked why this might be, Mark Weil CEO UK & Ireland, Marsh, chair of TheCityUK Cyber Taskforce, and a co-author of the report, partially pointed the finger at the insurance industry, but also at the boards themselves, saying: “A lot of insurance policies were written a long time ago when cyber-insurance was nascent – then they only get pulled out again when things go wrong. Often there is a lack of clarity. A (dedicated) cyber policy is more explicit than the implicit cover in general insurance policies and there can be confusion about what is covered and what's not,” noting that even cyber-insurance policies would generally only cover remediation and not loss of reputation and consequential losses. He also pointed out that 80 percent of current cyber-insurance policies are in the US where the emphasis on data breaches, whereas in Europe the emphais is on business disruption.
Nonetheless, insurance was still seen as a driver of standards – along with regulation, and while the EU GDPR was welcomed as a means of delivering breach reporting and ensuring boards paid attention to the risk of data breaches, John McFarlane chairman, TheCityUK and chairman, Barclays Bank advised that regulatory approaches should not be too proscriptive about how it is achieved and be more concerned with what is achieved, so that organisations could adapt to their own circumstances.
A key part of the report is that it includes a ten point check list for boards:
1. Ensure that the main threats faced by a firm have been considered.
2. There is an action plan to improve defence and response to these threats.
3. Data assests are mapped and actions to secure them are clear.
4. Supplier, customer, employee and infrastructure cyber-risks are being managed.
5. The plan includes independtent testing against a recognised framework.
6. The risk appetite statement provides control of cyber-concentration risk.
7. Insurance has been tested for its cyber-coverage and counter party risk.
8. Preparations have been made to respond to a successful attack.
9. Cyber insights are being shared and gained from peers.
10. Regular Board review material is provided to confirm status on the above.
The report survey evidence from Marsh shows that only 30 percent of large firms have cyber-security as a top ten risk, only 39 percent have quantified the risk and just 30 percent have a response plan to react to a breach occurring.
It also notes that there were a reported 2.5 million cyber-crimes in the UK last year, mostly various forms of fraud with the loss borne by the financial sector.
While it is acknowledged that there is no silver-bullet to manage cyber crime, there are practical steps the industry, and our customers can take to ensure we're well protected against attack. Cyber-hygiene should be as commonplace as locking the windows and doors when you lea.ve the house.
It is recommended that Boards hold management responsible for cyber-risks instead of their IT departments. Also, since 95 percent of all cyber-incidents involve human error, people and processes matter as much as technology when it comes to managing cyber threats.
Weil adds, “Financial services are a high-value target for cyber-crime given their criticality to the economy. In the end, most firms are going to need to spend money on cyber-defences. That's going to make for difficult choices on how much and in what they invest.
Download the full CityUK Cyber Taskforce report.