Cybersecurity –why is it important?
In the digital era Financial Institutions rely on technology to engage with their customers, manage assets and balance sheet exposures, settle transactions, and satisfy regulatory reporting requirements. The resilience of firms’ technology infrastructure has become a key focus for Chief Executives and regulators1. alike – it is no longer the sole preserve of the IT department.
Recent high profile incidents have placed data security breaches firmly on the front pages – Mossack Fonseca, Ashley Madison, Talk Talk, Vtech, Target, Home Depot. In some cases leaks and attacks are initiated by activists or whistle-blowers (in some cases under the cover of public interest); of greater concern are those initiated by criminal groups who recognise that confidential information, financial data and personal identities are a tradable commodity.
The risk of Cybercrime to the UK economy is estimated at £27bn2 with 90% of large companies reporting a security breach in 2015.3 The exposure is perceived as most acute in the banking, capital markets and insurance sectors.4
It is not surprising then that over half of large companies polled in a recent survey5 have appointed CISOs (Chief Information Security Officers) in recognition of the potential impact of data breaches on their business.
In short IT and Data security has become an essential element of any firm’s strategic management controls and we will explore some of those themes in this briefing.
What does a data incident look like?
The jargon of cyber-attacks is a familiar part of the lexicon – hacking, viruses, malware, denial-of-service attacks, phishing scams.
Very often a combination of techniques will be used, and the penetration may go undetected for a period of time. This was the case in the attack on US retailer Target, where the initial breach (theft of user credentials from a third party vendor) is thought to have taken place several weeks before malware was introduced into Target’s point-of-sale systems - this malware enabled the hackers to expropriate details of over 40 million credit card customers.6
Not all data security breaches are as sophisticated or well executed. Many result not from “targeted attacks” but from pure negligence on the part of employees or third party contractors – the loss of an unencrypted memory stick; emailing confidential documents to the wrong recipient; losing CDs containing sensitive, personal information in the post.7
What are the main causes of IT Security breaches?
Human error is still regarded as the single largest cause of IT security breaches – IBM claim that up to 95% of all security incidents result from human error.8
This manifests itself in the failure of IT departments to appropriately manage IT assets, manage access privileges, deploy up-to-date virus and malware protection, install firewalls, roll-out software updates and security patches.
It also manifests itself in the failure of end-users to comply with mandated security policies: downloading illegal software, accessing unsecure websites, leaving mobile devices unattended, sharing or disclosing passwords. Amazingly “password”, “123456” and “qwerty” remain at the top of the list of the most popular passwords.9
What are the possible consequences of a breach?
A cyber-attack or data breach can have multiple, detrimental effects on an organisation, particularly in the financial services sector:
- damage to reputation and brand;
- loss of business and contracts;
- loss of consumer confidence;
- drop in share price;
- compensation payments and other financial penalties;
- loss of intellectual property and customer data;
- costs of remediation (including notification and re-issuing credit cards);
- costs of litigation;
- disruption to day-to-day operations and management focus.
A data incident affecting a financial institution can also trigger regulatory sanctions. In addition to fines imposed by the ICO for breach of data privacy legislation, the FCA has the power to:
- impose fines on firms or individuals;
- suspend firms from certain regulated activities;
- apply to the courts for injunctions or restitution orders;
- and ultimately
- withdraw a firm’s authorisation.10
The Regulatory Perspective
In its Business Plan for 2016/17, the FCA acknowledges that: “Cyber-attacks are increasing and pose risks to consumers and markets.”
The FCA Handbook11 states that a firm should “establish and maintain appropriate systems and controls for the management of its IT system risks” and “information security risks”. This includes the management of “people risks” as well as processes and procedures to maintain the confidentiality, integrity and availability of systems.
The Senior Management Arrangements also define specific requirements in the case of outsourcing of important or material operational functions (SYSC 8). These rules are mandatory for Common Platform Firms.12
In the FCA’s guidance paper on the use of the off-the-shelf banking solutions13. it outlines a range of measures firms should consider to assess, test, manage and mitigate security risks; ensure the security and integrity of data; and put in place appropriate disaster recovery plans.
Finally in the FCA’s guidance consultation on outsourcing to the ‘cloud’14. the regulator encourages firms to
- consider the use of international standards (such as the ISO27000 series) when conducting due diligence;
- agree a clear data residency policy with the service provider;
- specify how data will be transmitted, stored (and encrypted if necessary) and segregated from other client data;
- define appropriate data breach notification processes;
- appropriately manage data security risks.
It is worth noting that both the FCA and the PRA acknowledge that there is no “one-size fits-all” approach and encourage firms to take a risk-based approach to IT security.
Defining a Coherent IT Security Strategy
A firm’s IT infrastructure is only as secure as its weakest link. Thus an IT security strategy needs to take a holistic view of the environment, all external interfaces, and any vulnerabilities.
As we outlined above, the regulatory regime requires that firms have a clear, written information security policy. Good practice would dictate that this policy should address the following elements:
- personnel policies (for employees & contractors);
- strong asset management protocols;
- robust access controls (identity and access management);
- physical & environmental controls;
- supply-chain controls (vendor & 3rd party management);
- system development & maintenance procedures;
- compliance & reporting requirements;
- business continuity procedures; and
- incident management plans.15
Responding to Data Security Breaches
It is vital that organisations put in place an effective incident response plan which can be initiated as soon as they become aware of any security or data breach. Experience shows that the first 24 hours are vital in minimising damage and the affected organisation should:
- immediately initiate their cyber/data breach response plan;
- record the date and time the breach was discovered and alert the response team;
- secure the premises around the area the breach took place;
- take affected machines offline (if appropriate);
- review company protocols regarding dissemination of information;
- keep a record of everything known about the breach.
In the case of a disclosure of personal data, it may be appropriate to notify the ICO in accordance with the requirements of applicable data protection legislation.16
Designing Appropriate Contractual Mechanisms
Appropriate contractual mechanisms are essential to manage service providers and ensure compliance with IT security policies. The same applies to intra-group arrangements (where, for example, services are provided by group companies).
In the case of outsourcing agreements, it will be important to:
- define clear and unambiguous physical and logical security requirements;
- establish a robust back-up policy to limit the risk of data loss or corruption;
- ensure compliance with Info Sec policies and/or recognised industry standards (such as ISO27001);
- request evidence of supplier security controls (such as SSAE 16);
- manage security procedures throughout the entire supply-chain;
- monitor compliance on an ongoing basis (including by way of audits);
- impose an obligation to immediately report breaches, restore systems, and remedy any loss or damage;
- revoke access privileges in the event of breach (or suspected breach);
- retain the right to terminate arrangements where required;
- update contractual requirements and policies in line with changes to law, regulation, and technology.
Equivalent controls must be maintained in relation to personnel arrangements. In most cases financial institutions will need to carry out vetting and/or criminal background checks in relation to all personnel with access to data; ensure compliance with policies (IT Security, AML, Insider Dealing, Confidentiality); maintain strict access controls; and carry out periodic reviews and spot-checks.