Late last year London's largest financial institutions stress-tested their cyber security resilience with a series of 'war games' co-ordinated by financial regulators and Government officials. Bank staff had to respond to several simulated cyber incident scenarios, which included challenges such as the availability of cash from ATMs and coping with a liquidity freeze in the wholesale market.
Dubbed 'Operation Waking Shark II', the simulation – one of the largest ever conducted – emphasises the potential severity of cyber attacks affecting the financial markets. Along with a similar exercise carried out in New York – and plans for 200 US banks to participate in what amounts to a competition over which is best prepared to handle an attack – it signifies a growing awareness of cyber risk among Government, regulators and corporations.
In recent years the world's largest companies have been targeted by increasingly sophisticated hackers. Hacking is now widespread, with the attackers ranging from the intellectually curious to the politically motivated and more advanced organs of various nation states. The targets range from safety-critical processing systems in the energy sector to price-sensitive deal data in any sector.
Of course law firms are particularly attractive targets, because of the confidential and sensitive information they hold. With business now routinely carried out in the cloud and via mobile devices, all commercial organisations are increasingly finding themselves on the cyber frontline.
Despite the ever-evolving threats, when we looked at the impact of cyber incidents over the past three years on share prices globally, we discovered that the market is relatively forgiving of companies targeted by hackers. Our research revealed that, in nine out of 10 cases, cyber attacks had a relatively minor impact on share prices. After one week, businesses hit by a cyber attack saw an average dip in share price values of just 0.26%. The majority of companies saw shares restored to pre-crisis levels after four weeks.
Last year Bloomberg uncovered similar findings when it analysed US company filings with the Securities and Exchange Commission. The 27 largest US corporations reporting cyber attacks stated that they suffered no major financial losses, which exposes a disconnect with federal officials who emphasise the theft of billions of dollars in corporate secrets.
In the UK PwC research revealed that more than half of the finance directors at the country's top companies say they do not have enough information to stave off cyber attacks effectively. Furthermore, according to a recent survey undertaken by the Department for Business, Innovation and Skills (BIS), few of the UK's largest listed businesses regularly consider the threat posed by a cyber attack.
These findings suggest either that national governments are overstating the damage from cyber attacks, or that companies and investors are understating their impact.
For many, cyber security is just another aspect of data protection and privacy and information management. Online data breaches are certainly nothing new – they have been around since the creation of the first networks. It may be that the recurring tales of misplaced laptops, briefcases left on trains and lost personal and confidential data, which rarely make headlines for more than a day or two, have led investors to take information breaches in their stride.
As prime targets for hackers, it is not surprising that the financial sector takes cyber security seriously. But while banks are tuning in, some corporations are still struggling to understand how these risks apply to their own businesses, what their vulnerabilities are and what their economic exposure really is. Companies may be tempted to overlook cyber security until they fall prey to an attack. And there is also the risk that cyber security is seen as simply an IT problem rather than a board-level issue to be managed proactively. As the recent BIS survey highlighted, many FTSE 350 companies do not actively manage cyber risk at board level.
Meanwhile, cyber security remains a voluntary exercise for most companies in the US and Europe. The UK Government has indicated that it is not keen to legislate for cyber security – instead preferring to work directly with industry and professional services firms to raise awareness and share best practice.
However, the regulatory environment is showing signs of toughening. The EU is moving to force companies in certain sectors to report all cyber breaches and take specific risk management measures to protect systems and data. The US is also ramping up its focus as American businesses and Government institutions experience more attacks. As cyber security moves up the political agenda, corporates across all sectors may in turn start to take the threat more seriously.
Despite investors treating cyber attacks with relative sympathy and the somewhat patchy legislative framework, high standards on cyber security across all sectors of UK business are vital if we are to remain competitive. Indeed, there are strong arguments that the risk here is serious enough that basic requirements and standards should be imposed by regulation and not left to an organisation's discretion.
Cyber attacks are a very serious threat to businesses as they can go right to the heart of a company's value. In many sectors – from high technology to pharma and automotive – information is part of an organisation's DNA.
Effective cyber security requires dedicating resources and board-level preparation, including planning responses to a cyber incident. Companies should seize the opportunity to assess their vulnerabilities now and what and where their most valuable information is held. Through that assessment, they can then prioritise money and resources to mitigate the risk of being affected disproportionately by a cyber attack.
Clearly, many organisations are yet to wake up to cyber risk and there is far more they need to do to protect themselves. Ultimately, cyber security will continue to evolve, so the faster the business community acknowledges the threat the safer it will be.
This article first appeared in 'Legal Week’