By Liz Willder, Partner and Head of Financial Services, FleishmanHillard UK
Imagine discovering that your customers’ personal data has been stolen and is for sale on the dark web. Or that your IT system is down, and you can’t service your customers. Or that your files have been encrypted so you have no access to up-to-date records.
For those of us who work in banking and financial services, this is the stuff of nightmares. But the reality is all three of those things are likely if your organisation is hit by a cyber-attack – and in fact even pre-pandemic seventy percent of UK financial services firms said that they had been targeted by cybercriminals in the previous year.
The reality is that cyber-crime is rampant. According to the US Identity Theft Resource Centre, the number of reported incidents in 2021 was 68% higher than in 2020. And the Information Commissioners Office (ICO) says that cybersecurity incidents, including ransomware attacks, where hackers either steal or encrypt data, rendering it inaccessible, then hold a business to ransom for it, were 20% higher in the second half of 2021 than the same period in 2019. The number of attacks may well rise further as a result of the Russia-Ukraine conflict – prompting the FCA to remind firms of the steps they should be taking to mitigate cyber risk.
Ransomware is rife
According to ransomware response specialists Coveware, more than three-quarters of cyber-attacks use the ‘double extortion’ tactic of both encrypting and exfiltrating (stealing) data.
Financial services companies are a prime target – because they have huge stores of highly sensitive, personally identifiable data that can be leveraged and monetised by cybercriminals. From credit cards and deposit information to estates, wills, titles, and other critical data stored electronically, financial firms are prime, high-value targets for criminal activity.
The cost of a ransomware attack on financial firms now clocks in at an average of £1.5m, according to data from cyber security firm Sophos. And the repercussions of a cyber event for a financial services provider can be severe. In a highly regulated industry, strong defences are vital, but the increasing sophistication of cybercriminals means that success rates for infiltration and data encryption are rising.
Of course, ransomware is just one of many cyber threats to financial services organisations but it’s often the costliest and most disruptive.
Defending your data
To protect against modern-day cyber threats, a preventative multi-layered defence system focused on preventing data loss, data profiling and data collection are required. Today, cyberattacks and data breaches are seemingly and sadly inevitable, and hackers will find their way in, but with a preventative approach to cybersecurity, these threats can be eliminated before the damage is done.
Cyber defence must be prioritized. Smart Boards will be scrutinising cyber-defence strategies and ensuring that all that can be done is in place. From cyber defence technology to regular staff training, everyone in the business from the top-down has a role to play.
And it’s not just about what you’ve done to prevent an attack, but also what you’ve done to mitigate the impact. Having a strong understanding of your data infrastructure can pay dividends in the event of an attack. Most financial services firms will have dozens of virtual and physical servers, so having a thorough understanding of where customer information, staff and financial records, partner and supplier information, contracts and operational documents and plans are stored will not only minimise the disruption, but it will also prove invaluable when assessing the impact on the data you hold and any contractual obligations and timelines you will need to adhere to.
GDPR dictates that companies have a clear data retention policy in place – so data is not only stored in the appropriate place but that it’s stored for no longer than is necessary and in line with your data retention policy. Certainly, when assessing a data breach the Information Commissioner’s Office will look at the ‘technical and organisations measure’ you have in place. These include the quality of systems and controls, your policies (and whether you enforce them) and how you ensure that your staff are competent. If you can demonstrate these, then you will go a long way towards mitigating any potential fine.
Preparing for the if not when and resurfacing with reputation intact
For an industry that has been marred by a lack of trust, the threat of customers voting with their feet and taking their business elsewhere is very real. But the reputational and customer confidence consequences of a successful cyber-attack are just part of the story; the knock-on impact on IT rebuilds, post-event reporting requirements, as well as significant fines for failing to keep personal data protected are a costly and unwanted exercise.
When the worst does happen, understanding how to secure systems, launch a forensics investigation, notify the relevant authorities, and manage reputation with internal and external stakeholders is vital. This means not only having an Incident Response Plan in place, but also running simulations and practice sessions to ensure that every member of the response team knows what their role is, and to spot and iron out any issues before the plan has to be deployed for real.
Long after the cyber-attack itself, what your staff, customers, regulators and other stakeholders will remember is how you handled the incident. Did you communicate in a way that was seen as transparent and authentic? Did you support them to understand what had happened, how they were impacted and help them deal with any consequences? Firms that handle a cyber incident well may actually be able to enhance trust with some stakeholders.
As such, communication experts have a vital part to play in a firm’s Incident Response Team. And communications must work hand in hand with forensic and legal counsel, and if relevant, the business’ insurance provider as part of the incident triage right through from the initial incident to the point where communications to all stakeholders can be closed.
From stakeholder mapping, message and materials development, to managing challenging customer or regulatory questions, media enquiries, reviewing the appropriateness of broader marketing activity and engaging with shareholders, the role of the communications is vast.
Perhaps most important to damage mitigation and reputation management is message control. Balancing transparency with patience is key to protecting relationships and limiting negative sentiment. Saying too much, too soon, in a bid to provide reassurance can often come back to haunt organisations.
Resolving and recovering from cyber-security incidents will take longer than you think
Cyber incidents are a marathon, not a sprint. The initial phase is focused on business continuity: restoring systems and ensuring that you are in a position to service customers is, of course, the most urgent priority.
But the forensic investigation – trawling through data and logs and, potentially, the information provided by the cyber criminals, can take weeks, sometimes months. But building an understanding of how and why the attack was able to take place and using this insight to future proof and strengthen defences is the most valuable takeaway from any incident.
Cybercrime isn’t going to go away. The reality is, it will become more and more prevalent for financial services firms large and small, making it one of the biggest modern-day threats to businesses. But those organisations that prepare, plan and train are those who are likely to be in the best possible position to manage and recover should the worst happen.