Thomson Reuters published the results of a very interesting survey recently, which canvassed the views of over 200 corporate and company secretaries from firms across many parts of the world, on some of the key challenges faced by boards.
The results make for interesting reading. Most notably, that information on cyber-security is the type of information least frequently requested by boards; only 32% of boards frequently or very frequently request such information. One of the conclusions Thomson Reuters drew from this survey was that many firms don’t have structures in place to protect their information (and presumably that of their customers) from cyber-attacks.
This suggests that for many firms, this particular issue is one that they’re just starting to get to grips with, rather than having incorporated it fully into their risk management structures and business recovery plans.
This may be a fair challenge. For many, the term “cyber-crime” is likely to be associated with the most commonly known forms of attacks on the internet. For example, phishing websites, spam emails and the threat of viruses that infect networks, such as worms or trojans.
These are all valid concerns. But for financial services firms, the issues go a bit deeper than this.
Which is why there is a need for everyone to understand what cyber-crime is, and what they can do to stop it happening.
There is a good chance that the majority of people working in financial services will be aware that there is a thing called cyber-crime, and will know some of the basics.
They may know not to share passwords with anyone, to protect their work devices whilst on the move, and not to use private computers or devices to store or transmit company materials.
But how well versed are staff in some or the more subtle aspects of cyber-security?
- Do they know, for instance, how to spot a potential spam email?
- Do they know where to report this, or what to do with it?
- Likewise, do they know not to open any unusual-looking attachments for fear of a virus being placed into their firm’s network? Perhaps not, because they think that the firm’s anti-virus software will take care of all of that.
Surfing the web
Also, when surfing the web:
- Do employees know what to do when their computer raises concerns over a website’s digital certificate?
- Do they know their firm’s policy when it comes to internet and smartphone use?
- And do they know the policy on the connection of personal devices to work equipment?
These are, if you like, the basics of cyber-crime prevention – and there may be a tendency to forget that these have to be taken care of first.
Then there is the bigger issue of the threat that cyber-crime poses to the firm’s overall infrastructure. Certain retail banks have moved to strengthen their retail internet banking platforms by, for example, the introduction of secure keys.
However, firms need to not just look at protection for their customers – they need to look at protection for themselves. This is not just an issue of the security of personal data. What if, for example, a malicious attack took place on the firm’s mainframe systems that effectively disabled its operations?
One of the big problems with cyber-crime is that no-one can ever be certain which direction an attack will come from – or what form it will take. New methods are developing all the time.
The fact remains, though, that firms need to look carefully at the information they store electronically, and try to understand exactly where the risk may come from.
- How secure is the information stored on network servers?
- How up to date are the anti-virus tools?
- Are all of the software patches kept up to date?
But even if these things are all done, is there still a risk that needs to be mitigated?
This last point is the most important one – have firms fully taken into account the risks that cyber-crime face to them specifically:
- When assessing their top operational risks?
- Have all of the mitigants been identified?
- Is the board aware of the significance of these risks?
Not forgetting, of course, the issue of business recovery. In the event of a cyber-attack, for example, on a firm’s main network:
- What steps will be taken to manage and fix the situation?
- How will the firm continue in business as best it can in the meantime?
- Business continuity programmes often deal clearly with the issue of a physical office space being out of action, but what about if the core systems are brought down? In this case, it’s not as simple as telling people to work from home or sending them to a contingency site.
There’s a regulatory aspect to this too. The FCA has stated its concerns about cyber-security being an emerging risk for firms. To quote from its 2014 Risk Outlook, “Cyber-crime has also received increased attention by operators of critical financial infrastructure, such as market exchanges and trading venues, since they have become high-profile targets for deliberate attempts to disrupt financial markets. These market infrastructures should review cyber security measures and pro-actively share joint intelligence to prevent any prolonged outage”
So this is an issue that firms need to get to grips with if they haven’t already. And the starting point is training.
As with many subjects, firstly the knowledge needs to be acquired, then the action can be taken. In the case of cyber-crime, training providers are starting to provide events and materials to help firms understand what this really means to them, not just from the point of view of customer-facing activities, but structural risks as well.
For firms looking to take advantage of these opportunities, Industry Events Online provides an excellent way to find out more.
By Martyn Oughton a Professional Member of the International Compliance Association (ICA). Martyn now writes a regular blog for Industry Events Online focusing on the importance of training in all aspects of compliance. Read Martyn's other publications at Martyn's Writers' Residence website.
To keep up to speed with new events and blog posts sign up to the Industry Events Online weekly newsletter.