TheCityUK and Marsh have jointly published a report urging UK financial and related professional services sectors to step up their efforts to address cyber risk. The report (headed “Cyber and the City”) suggests that cybersecurity is still not being given the priority it deserves, particularly given the substantial disruption, costs and reputational damage that can flow from a cyber-incident. The threat of cyber-attacks on British companies is growing, with 2.5 million cyber-crimes reported last year in the UK alone. Alarmingly, the report reveals that only 30% of firms rated cyber threats in the top 10 risks to their business, and only 29% had tried to quantify their cyber exposure.
As we reported last year, company Boards are well-placed to reduce the risk of successful cyber-attacks and the ensuing financial and reputational consequences. The report makes a number of specific recommendations for individual firms and includes the following 10-point checklist:
- Identify and quantify the main cyber threats.
- Maintain an action plan to improve defence and response to these threats.
- Ensure that data assets are mapped and the actions necessary to secure them are clear.
- Manage supplier, customer, employee and infrastructure cyber risks.
- Implement independent testing against a recognised framework.
- Ensure the risk-appetite statement provides controls on cyber concentration risk.
- Test insurance for its cyber coverage and counter-party risk.
- Ensure preparations have been made to respond to a successful attack.
- Share cyber insights with peers.
- Provide regular Board review material to confirm status on the above.
Another key recommendation is that the financial services sector should set up an industry-wide “Cyber Forum” as a platform for industry participants to informally share important information and experiences, and help promote a unified response to cyber threats. The forum would consist of a steering committee of directors from various financial organisations, and a working group of information security officers or risk executives.
The report gives UK businesses that are facing increased and increasing cyber threats with a set of helpful, practical recommendations to complement (and build upon) their existing risk-management approach.