Financial firms in the United Kingdom are not taking cybersecurity seriously enough according to the Financial Policy Committee. The group is currently carrying out tests on some 36 of the largest financial firms in the country.
The full results of the research, which is named Walking Shark II, have not been released, but the research has already unearthed some worrying information about the state of cybersecurity at these, some of the most important companies in Britain. The situation is, according to the Financial Policy Committee, getting better, though more investment is needed, and more awareness of the issues involved is absolutely essential.
With a clearly escalating scale in cyber attacks, it’s unclear why firms put so little emphasis on the development of systems that are likely to keep them safe if, and when, they become a target. Financial firms are particularly at risk given the amount of sensitive customer information they are custodians of.
Most of the companies that have been hit by a major cyber attack thus far met the standards and regulations in place without issue. Attackers have still managed to grab everything they needed.
Last year a report released jointly by the British Banker’s Association and PwC said that 93% of large organizations suffered a security breach in the year studied. The report called for a financial industry information-sharing mechanism that would help to protect the entirety of the sector from attacks of that type.
PwC cybersecurity partner Richard Horne said “Cyber crime is a major threat to the UK’s financial services sector, as fraudsters increasingly turn to technology as their main crime tool. These figures show that an increasing number of UK financial services companies are taking cyber security seriously.
Defending from the inevitable
Given the impossibility of blocking every gap, it should be clear that financial firms are better suited assuming that their defenses will be breached, and limiting the amount or kind of information that would be available to individual hackers.
More and more emphasis is now on detecting rather than defending from cyber attacks. With the assumption that defending from all angles is impossible while attack from all angles is likely, which is particularly true for a financial firm, a hack is inevitable. Knowing about it as soon as it occurs may be the best way to limit the gains of those involved in the assault.
James Lewis, a security expert at the Center for Strategic and International Studies in Washington DC, reckons that companies fail at cyberresilience when they build high walls, but fail to prevent those that scale them from accessing everything. Defense during an attack is just as important as defense from an attack, according to the researcher.
Hacking goes mainstream
With most of the news about hacking in the last decade having concentrated on the juvenility of groups like Anonymous, you could be forgiven for believing that there’s little threat to financial firms. Hacks last year, including that on the US retail database owned by Target, have shown that view demonstrably false and painted a picture of how these attacks can damage a firm financially.
The attack on Sony Pictures at the end of last year, which the government of the United States blamed on North Korea, demonstrated the power of state-sponsored cyberattacks, and the sheer amount of information that can be gleaned from such an effort.
The most important example for individuals on all sides of the financial industry is, of course, the JPMorgan hack. Based on a simple mistake that left a wide open pathway for the hackers, the attack compromised the accounts of 76 million consumers and 7 million businesses.
Security awareness for investors
For investors looking to hedge funds and other financial firms to guard their money, there appears to be relatively little that can be done. Even for investors with an advanced understanding of cybersecurity, firms are unlikely to release enough detail to accurately judge their security framework.
US regulator FINRA says that investors should be more aware of the cybersecurity policies of the firms they deal with. Given the lack of information offered on how to do so effectively, it seems that task remains extremely difficult. Cybersecurity should still be considered when evaluating an investment vehicle, despite the lack of good information.
For investors then, it may be about taking on the extra expense to be confident of adequate insurance in the case of an attack. Such an effort won’t protect from the damage of information release fully, but it should shield from monetary loss, albeit for a price.