Cyber risks are silent, deadly and often mundane

The military use of submarines was pioneered during the American Civil War, but Britain's Royal Navy was slow to adopt them. In 1901, Admiral Sir Arthur Wilson, the controller of the navy, described them as "unfair, underhand, and damned un-English".

Thinking about the threat faced by sailors, it's easy to see why somebody might think this way. Previously, a captain and his crew would have been able to spot enemy ships on the horizon well before they could pose a palpable threat. Suddenly, naval vessels were faced with the grim possibility of a catastrophic assault emerging from the deep, without warning, at any time.

A similar sentiment applies to cyber attacks. Like a submarine assault, the impact can be catastrophic, preventing businesses from operating properly and fatally damaging confidence in the eyes of the public. For firms, the attack is all the more scary because it is silent and stealthy. And even after the damage has been done, the shadowy perpetrators of cyber crime may remain unseen.

No surprise, then, that cyber risk cropped up as the most frequent concern of operational risk managers in a Risk.net survey of their biggest op risk fears for 2016.

Worrying about cyber security lapses has also become a leading preoccupation of regulators. "When I think about the risks that might cause the next crisis, cyber security is one that concerns me the most," said Sarah Dahlgren, the then-head of the Financial Institution Supervision Group at the Federal Reserve Bank of New York, speaking at an OpRisk conference in March 2015.

In its latest Semiannual Risk Perspective, published on December 16 last year, the US Office of the Comptroller of the Currency pointed to "the increased sophistication of cyber threats" and "pervasive technology vulnerabilities" as among its biggest op risk concerns.

At a global level, supervisors are working to address the cyber risks faced by financial market infrastructures, such as central counterparties, trade repositories and payment systems. The Basel-based Committee on Payments and Market Infrastructures (CPMI) and the Madrid-based International Organization of Securities Commissions (Iosco) published a consultation on their high-level Guidance on cyber resilience for financial market infrastructures in November 2015. Coen Voormeulen, co-chair of the group that produced the guidance and a director at De Nederlandsche Bank, stresses firms and regulators must work together to keep cyber threats at bay.

For all the emphasis on cyber risk, it's worth remembering that not all of it involves targeted attacks by shady cyber criminals. Lost passwords, unattended computer terminals and inadequate controls on sensitive data are more likely causes of cyber security breaches, say risk managers – and the consequences can be no less severe. The CPMI-Iosco guidance appears to acknowledge this, with a section on insider threats noting the need for firms to look into "anomalous behaviour" by staff using their systems and to ensure that "access... is restricted only to those with a legitimate business requirement", for example.

Those more prosaic cyber threats may not scare risk managers in the same way as a giant shadow lurking from the depths would strike fear into the hearts of seamen. The real picture is less frightening, but perhaps more dangerous. For it seems the enemy is not just undetected; they might already be in the room.