'We are all at risk' from cyber, conference told

The threat to financial institutions from cyber crime is real and growing, said James Phipson, a director in the City of London Police's economic crime directorate, speaking at a conference in London on January 28.

"We are all at risk. Cyber criminals are getting more and more sophisticated," he warned delegates at the Wealth Management Association's Financial Crime Conference.

Due to the increasing risk posed by cyber crime, the City of London Police is among authorities urging financial institutions to identify and address areas of vulnerability within their organisations, including by building fraud protection into both new and existing processes and systems.

Phipson said a new approach to cyber threats was needed, with a greater emphasis on prevention. That would involve an increasing level of partnership between the financial industry and law enforcement agencies. "Prevention is about seeing patterns; it's about identifying the sources of these crimes, and being able to disrupt them before they happen," he said.

All companies need to share information and report suspicious transactions, Phipson added, although he acknowledged this could be particularly challenging for larger firms with a higher number of clients. "They have KYC [know-your-customer] controls and are ticking the boxes, but they don't actually know the people they are dealing with, and that is the biggest piece of prevention."

Other speakers at the conference pointed to the steps financial firms could take to manage their cyber risk. Christopher Burgess, cyber and professional indemnity team manager at New York-based insurer AIG, said the firm had seen a surge of new enquiries for cyber liability insurance in the fourth quarter of 2015.

"There was a huge increase at the tail end of last year," he said. "Financially regulated firms and telecommunications firms have been the areas where we've seen the biggest number of enquiries."

Burgess believed much of the increase had come as a result of the hacking of UK-based telecoms firm TalkTalk in October last year. The cyber attack caused a major loss of customer data and triggered a wave of negative publicity. In November, the company estimated the costs of the data breach at £30–£35 million ($43–$50 million).

Typically, firms use cyber liability insurance to complement their existing risk management, business continuity and disaster recovery plans. First-party cyber insurance usually covers the cost of post-breach responses such as IT forensics, legal assistance, data restoration, public relations advice, notification, and subsequent credit and IT monitoring.

Burgess said common challenges faced by firms in the wake of a cyber attack included untested incident response teams who didn't know how to work together, stalled decision-making and useless business continuity plans that were often "thick as a bible and sit on a shelf collecting dust". In his view, the best business continuity plans were shorter and simpler, with just a few tailored pages of instructions.

The most frequently reported cyber crimes are low-level incidents such as theft of credit card details or use of phishing attacks to steal client information. But Burgess said it was the impact of high severity hacks and significant denial of service attacks that was of most concern to companies.

"Their reputation being shot to pieces – that's the number one thing on my clients' lips when I speak to them," said Burgess. "That's the thing they're worried about."

The heightened interest in cyber liability insurance among financial firms coincides with concerns over data protection laws and heightened regulatory scrutiny of firms' systems and controls, he noted.

In December 2015, the European Parliament, European Council and European Commission reached agreement on the first ever piece of European Union legislation addressing cyber security. Under the EU Network and Information Security Directive – the final text of which must still be approved – firms operating in industries such as energy, transport, banking, health and water supply would be required to prove they have appropriate cyber security measures in place. The legislation would also require the mandatory reporting of cyber security breaches.

In the US, the Financial Industry Regulatory Authority (Finra) has said cyber security will be a focus for its supervision this year. The self-regulatory organisation plans to carry out reviews on firms' cyber security governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training during 2016.

"Given the evolving nature of cyber threats, this issue requires firms' ongoing attention. While many firms have improved their cyber security defences, others have not – or their enhancements have been inadequate," Finra said in its annual regulatory and examination priorities letter on January 5.