
'We are all at risk' from cyber, conference told
Worry of financial firms shown by increasing demand for cyber liability insurance

The threat to financial institutions from cyber crime is real and growing, said James Phipson, a director in the City of London Police's economic crime directorate, speaking at a conference in London on January 28.
"We are all at risk. Cyber criminals are getting more and more sophisticated," he warned delegates at the Wealth Management Association's Financial Crime Conference.
Due to the increasing risk posed by cyber crime, the City of London Police is among authorities urging financial institutions to identify and address areas of vulnerability within their organisations, including by building fraud protection into both new and existing processes and systems.
Phipson said a new approach to cyber threats was needed, with a greater emphasis on prevention. That would involve an increasing level of partnership between the financial industry and law enforcement agencies. "Prevention is about seeing patterns; it's about identifying the sources of these crimes, and being able to disrupt them before they happen," he said.
All companies need to share information and report suspicious transactions, Phipson added, although he acknowledged this could be particularly challenging for larger firms with a higher number of clients. "They have KYC [know-your-customer] controls and are ticking the boxes, but they don't actually know the people they are dealing with, and that is the biggest piece of prevention."
Other speakers at the conference pointed to the steps financial firms could take to manage their cyber risk. Christopher Burgess, cyber and professional indemnity team manager at New York-based insurer AIG, said the firm had seen a surge of new enquiries for cyber liability insurance in the fourth quarter of 2015.
"There was a huge increase at the tail end of last year," he said. "Financially regulated firms and telecommunications firms have been the areas where we've seen the biggest number of enquiries."
Burgess believed much of the increase had come as a result of the hacking of UK-based telecoms firm TalkTalk in October last year. The cyber attack caused a major loss of customer data and triggered a wave of negative publicity. In November, the company estimated the costs of the data breach at £30–£35 million ($43–$50 million).
Typically, firms use cyber liability insurance to complement their existing risk management, business continuity and disaster recovery plans. First-party cyber insurance usually covers the cost of post-breach responses such as IT forensics, legal assistance, data restoration, public relations advice, notification, and subsequent credit and IT monitoring.
Burgess said common challenges faced by firms in the wake of a cyber attack included untested incident response teams who didn't know how to work together, stalled decision-making and useless business continuity plans that were often "thick as a bible and sit on a shelf collecting dust". In his view, the best business continuity plans were shorter and simpler, with just a few tailored pages of instructions.
The most frequently reported cyber crimes are low-level incidents such as theft of credit card details or use of phishing attacks to steal client information. But Burgess said it was the impact of high severity hacks and significant denial of service attacks that was of most concern to companies.
"Their reputation being shot to pieces – that's the number one thing on my clients' lips when I speak to them," said Burgess. "That's the thing they're worried about."
The heightened interest in cyber liability insurance among financial firms coincides with concerns over data protection laws and heightened regulatory scrutiny of firms' systems and controls, he noted.
In December 2015, the European Parliament, European Council and European Commission reached agreement on the first ever piece of European Union legislation addressing cyber security. Under the EU Network and Information Security Directive – the final text of which must still be approved – firms operating in industries such as energy, transport, banking, health and water supply would be required to prove they have appropriate cyber security measures in place. The legislation would also require the mandatory reporting of cyber security breaches.
In the US, the Financial Industry Regulatory Authority (Finra) has said cyber security will be a focus for its supervision this year. The self-regulatory organisation plans to carry out reviews on firms' cyber security governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training during 2016.
"Given the evolving nature of cyber threats, this issue requires firms' ongoing attention. While many firms have improved their cyber security defences, others have not – or their enhancements have been inadequate," Finra said in its annual regulatory and examination priorities letter on January 5.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
More on Operational risk
Power play: how geopolitics is shaping op risk at G-Sibs
Op Risk Benchmarking: Geopolitics is a top five fear for G-Sibs, but most banks lack specialist risk staff and classical tools
Automating regulatory compliance and reporting
Flaws in the regulation of the banking sector have been addressed initially by Basel III, implemented last year. Financial institutions can comply with capital and liquidity requirements in a natively integrated yet modular environment by utilising…
No tick-the-box approach to compliance risks
Op Risk Benchmarking: G-Sibs share fear of regulatory run-ins, but lack common stance on modelling, KRIs and more
Bread-and-butter op risks at the top table
Op Risk Benchmarking: As G-Sibs are forced to do more, how can they avoid doing more wrong?
Op Risk Benchmarking: Inside the G-Sibs
New initiative scrutinises op risk measurement and management practices at the world’s largest banks
Sizing cyber: banks split on who owns and measures hack threats
Op Risk Benchmarking: G-Sibs split on risk modelling and management for IT disruption and infosec
Banks frequently breach appetite for top op risks
Op Risk Benchmarking: Five G-Sibs breached appetite in past year across four risk types, new research reveals
Investment banks: the future of risk control
This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control