The finance sector is no less vulnerable to attacks than consumer markets says Colin Lobley, director at risk consultancy firm, Manigent.

Colin Lobley

In the digital age, it seems that we are only moments away from the next major cyber hacking story. The financial services industry, it would appear, is no less vulnerable than consumer markets – arguably more so. Using risk appetite robustly and taking an information-centric view can offer a solution writes Colin Lobley, director at strategy and risk consultancy Manigent.

In February 2014, financial institutions were warned that they face a significant and growing cyber threat, as hacktivists and criminals attempt to manipulate markets with distributed denial of service attacks (DDoS). These attacks are where a hacker makes a computer resource (such as a website or network) stop responding to legitimate users.

A report by analysts at security firm Prolexic said that a growing number of cyber attack campaigns are being launched with the aim of lowering share prices for publicly traded companies and disrupting exchange activity to prevent trades being made. Several US banks have been targeted by this type of assault in the past two years, including JPMorgan Chase, Bank of America and Citigroup. The report claimed: “Since 2011, and growing in 2012 and 2013, DDoS attack campaigns have become a significant threat to financial firms.”

In November 2013, it was reported that cyber criminals were targeting the IT systems of wealth managers as a means of gaining access to (and stealing money from) more secure clearing banks and other counterparties.

Stricter regulation and regulator engagement on the horizon

Recognising the dependencies and escalating risks of a cyber-enabled operating ecosystem, and with lessons from Waking Shark II (the recent Bank of England-led exercise simulating a cyber attack on the UK financial system), the regulatory landscape for cyber in financial services is beginning to change.

The minutes of the UK’s Financial Policy Committee meeting on 18 June 2013 stated that ”market participants had increasingly highlighted concerns about operational risk, including threats of cyber-attack”.

In September 2013, this committee took action, stating that the next step was for “the boards of the relevant supervisory bodies to ensure that there was a concrete plan in place to deliver a higher level of protection against cyber attacks for each institution at the core of the financial system, including banks and infrastructure providers”. A timescale of early 2014 was set to construct these action plans.

Whatever action plans or regulations emerge, fundamentally, it will be businesses being encouraged, or required, to manage both their information and digital operations in an intelligent, controlled fashion, and reporting both risks and incidents in a timely manner to the regulators.

Inertia at board level

Yet there is still much inertia about the problem at board level. A business department survey the same month revealed that few of the UK’s largest listed companies regularly consider the cyber threat to their business. The study, involving chairmen and the chairmen of audit committees of FTSE350 companies, said the board had only a “basic” understanding of the company’s key data assets – a major target of cyber criminals.

This is made even more surprising by a report that suggested the FTSE 350 could make potential gains of £44bn gross operating profit per annum through enhanced information exploitation, with financial services organisations making on average 27% improvements.

Assessing the opportunity and risk is difficult

The problem is that assessing both the value information contributes to a business and the value of associated cyber-driven risks is not easy.

As an asset, the value of information is significant, but so too are the multi-faceted consequences of a realised information risk. Not only is there the direct and indirect effect of the information being unavailable, stolen, lost, compromised or manipulated, but also the resulting reputational and financial consequences on the business as a whole. These can range from nothing (you may not even realise a cyber incident has occurred), to a major reputational catastrophe damaging the bottom line.

Additionally, there is much emphasis on cyber attack vectors such as DDoS, trojans and waterholing – and the technical vulnerabilities to these attacks. This pushes businesses down the route of finding an IT solution to an IT problem, rather than taking a business risk perspective.

This ambiguity and confusing IT-centric language makes it an unattractive area for management attention and investment. Yet, regardless of any future regulation, given our operational dependency on information and digital operations, they are critical business risks and cannot be ignored or undermanaged in an IT silo.

Conclusion

Taking an information-centric view and using risk appetite  a management concept that determines the level of risk that an organisation is prepared to accept before action is deemed necessary to reduce it – can provide a solution.

Best practice suggests that risk should be assessed in the same terms as a business’s value drivers – typically money in any commercial business. Information is used by the business to generate value. We therefore need to articulate the value of information , the risk appetite and the risk exposure in financial terms.

This will align the organisation from board-level to IT security, avoiding an overly IT-centric perspective, and informing the decisions needed to allocate adequate resource to the management of information and its risk. In so doing, this approach will enable businesses to realise their share of the £44bn gains and protect against incidents and losses.