Cyber safe not cyber sorry
- Publish date: 19 December 2016
- Archived on: 11 January 2018
With the cyber-security breach at Tesco Bank reportedly costing £2.5m so far, Nick Wilding asks if boards are ready to take notice.Will board meetings in financial services organisations ever be the same again? The high-profile attack on Tesco Bank in November brings into sharp focus what business leaders in financial services already know – a cyber attack can have a huge impact on their organisation. As well as the fiscal loss and hard-won reputations (both corporate and personal), competitive advantage and market value are also at risk. As Warren Buffett noted: “It takes 20 years to build a reputation and five minutes to ruin it.” So are boards and senior executive teams regularly discussing their business resilience to cyber risks? How much are they prepared to do to protect their reputations?
Talking the talk
It’s often reported that boards are increasingly recognising cyber attack as one of the greatest risks they face. But, typically, there remains a gap between the awareness of the risk and taking effective action against it. The most recent FTSE 350 Cyber Governance Health Check research with CEOs, CFOs and NEDs revealed:
- one third of boards have clearly set and understood their appetite for cyber risk;
- just 16% have a very clear understanding of where the company’s key information assets are shared with third parties; and
- only 49% of boards have a clear understanding of the potential effect of loss/disruption of key information and assets.
The questions CEOs and senior executives will be expected to answer following an attack are exactly what they need to be considering before an attack happens:
- Who and what is affected by the attack?
- Where was the information/asset and how was it being protected?
- What vulnerabilities were exploited by the attack?
- What is the impact of the lost/ compromised information?
- What steps are we taking to mitigate the risk and minimise the harm to our customers?
Such direct questions are difficult to answer. With cyber attacks continuing to target the most sensitive and valuable information within the financial services industry every day, all organisations need to be ready to both raise and answer these questions.
Don't overlook the obvious
Investment in cyber security technology continues to rise. Yet at the same time the number, scope and impact of successful cyber attacks is also increasing. This suggests that there is something missing in our collective corporate response. Critically, the board and senior executives need to understand that cyber resilience is fundamentally as much about people, behaviours and culture as it is about technology and regulatory compliance.
In the introduction to Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers Tom Farley, president of the New York Stock Exchange, said: “It is important companies remain vigilant, taking steps to proactively and intelligently address cyber security risks within their organisation.
Beyond the technological solutions developed to defend and combat breaches, we can accomplish even more through better training, and insight on human behaviour. Confidence, after all, is not a measure of technological systems, but of the people entrusted to manage them.”
This highlights that the role of boards and senior decision-makers is to set the right ‘tone from the top’ – one that encourages and incentivises everyone in the company to be aware, informed and confident to make the right decisions at the right time. At the British Bankers’ Association Cyber Resilience Conference in November this year, many of the discussions focused not on technology but on the ‘human factor’. It seems that there is a growing acceptance that effective resilience requires an enterprise-wide, multi-disciplinary response that balances risks and opportunities with people, processes and technology.
Cyber attacks are no longer ‘black swan’ events, but business as usual. It follows that cyber resilience should now be a standard agenda item at board meetings. We all – including our partners and suppliers – have a specific role to play and a responsibility in protecting valuable and commercially sensitive information, and to help ensure UK plc is a safe place to do business. A cyber-resilient organisation is one whose people are cyber aware and actively engaged in learning and not just ‘ticking the box’. Ignorance isn’t a defence anymore – the risks and impacts are too great.