Britain’s businesses are being urged to better protect themselves from cyber criminals following government research launched this week in the Cyber Security Breaches Survey. The research also shows that in some cases the cost of cyber breaches and attacks to business reached millions, with the most common attacks detected involving viruses, spyware or malware. With one in four large firms experiencing a breach – at least once a month - only half of all firms have taken any recommended actions to identify and address vulnerabilities. Even fewer, about a third of all firms, had formal written cyber security policies and only 10% had an incident management plan in place.
Confirming this trend, PWC’s Global Economic Crime Survey 2016 reported that earlier this year that cybercrime holds the number 2 slot as most reported economic crime affecting 32% of organisations. However, most companies are still not adequately prepared for – or even understand the risks faced: only 37% of organisations have a cyber-incident response plan.
Cyber Security is a top priority for government with the publication last month of its Annual Report for the UK Cyber Security Strategy 2011-2016. Having identified cybercrime as a primary concern to the UK, the government developed a National Cyber Security Programme from which the Strategy was established. The report for 2015/16 reviewed the progress of the past year and looked forward to the new strategy for 2016. Despite an increase in cybercrime cases since the Strategy was launched the report concluded that significant progress had been made towards increasing the safety and protection of the UK from cybercrime. It also confirms that investment in cyber security will rise to £1.9 billion over the next five years. November will see the opening of the National Cyber Security Centre. (See our related blog).
A public private partnership
Co-operation between public and private sector (a trend in law enforcement matters across the board) is a key part of the cyber security strategy, with the financial services sector core to this initiative.
Indeed, the Financial Conduct Authority’s Business Plan 2016-17 published last month sets out a number of key priorities and reports on how its Risk Outlook has shaped those priorities. Making it onto the top priority list we see Innovation and Technology sitting alongside Financial Crime and Anti-Money Laundering, Culture and Governance, Pensions, Advice, Treatment of Existing Customers and Wholesale Financial Markets.
Ultimately the FCA wants firms’ and markets’ technology to become increasingly resilient to cyber threats. Confirming the threat unveiled in the most recent survey, the Government’s June 2015 Information Security Breach survey reported that 90% of large organisations and 74% of SMEs had had a security breach. Up from 81%/60% the year before. Putting the financial cost of £1.46m - £.14m to the large organisation and £75k - £311k to the small.
Use of technology for scams and as a vehicle for financial crime are also key issues raised. Underlining that technology plays a “fundamental and increasingly pivotal role” in delivering innovative products and services, the FCA confirms that a balance must be struck between supporting innovation that benefits consumers and ensuring they have adequate protection. Well aware of the risks associated with technology, the plan sets out the role the FCA has to play in ensuring firms’ technology and systems become more resilient to both cyber-attacks and more traditional outages. Thereby safeguarding consumers and markets and building confidence in the effectiveness of financial technology.
In terms of risks identified the FCA highlights how widespread adoption of technology is likely to be limited by vulnerabilities in the design and management of systems and infrastructure. A lack of technological resilience, the need to balance investment in innovation with maintaining existing systems and infrastructure, and a lack of IT expertise at board level are some of the reasons the FCA flags as presenting significant challenges. This failure poses both conduct risks and potentially a systemic risk.
In the year to come the FCA will focus on identifying the impact of operational resilience risks in the firms likely to cause “the most disruption to markets and consumers resulting from an incident, and how firms deal with such risks and impacts.” Whilst these attacks are inevitable, the FCA argues that firms need to ensure that they have defences and plans in place to deal with them.