Not if, but when. Cyber ​​Incident Planning for Financial Services Firms


By Liz Willer, Partner and Head of Financial Services, FleishmanHillard United Kingdom

Imagine finding out that your customers’ personal data has been stolen and is for sale on the dark web. Or that your computer system is down and you cannot serve your customers. Or that your files have been encrypted so that you don’t have access to up-to-date records.

For those of us who work in banking and financial services, this is a real nightmare. But the reality is that all three of these things are likely if your organization is hit by a cyberattack – and in fact, even before the pandemic, 70% of UK financial services firms said they had been targeted by cybercriminals in the previous year.

The reality is that cybercrime is rampant. According to the US Identity Theft Resource Center, the number of incidents reported in 2021 was 68% higher than in 2020. And the Information Commissioners Office (ICO) says cybersecurity incidents, including ransomware attacks, where hackers steal or encrypt data, making it inaccessible, then ransoming a company, were 20% higher in the second half of 2021 than in the same period in 2019. The number of attacks may well increase further due to the Russian- Ukrainian – prompting the FCA to remind businesses of the steps they need to take to mitigate cyber risk.

Ransomware is rampant

According to ransomware response specialists Coveware, more than three-quarters of cyberattacks use the “double extortion” tactic of encrypting and exfiltrating (stealing) data.

Financial services companies are a prime target because they have huge stores of highly sensitive and personally identifiable data that can be exploited and monetized by cybercriminals. From credit card and deposit information to estates, wills, titles and other electronically stored critical data, financial companies are prime and high-value targets for criminal activity.

The cost of a ransomware attack on financial firms now averages £1.5m, according to data from cybersecurity firm Sophos. And the repercussions of a cyber event for a financial services provider can be severe. In a highly regulated industry, strong defenses are essential, but the growing sophistication of cybercriminals means that success rates for infiltrating and encrypting data are increasing.

Of course, ransomware is just one of many cyber threats to financial services organizations, but it’s often the costliest and most disruptive.

Defend your data

To protect against modern cyberthreats, a multi-layered preventative defense system focused on data loss prevention, data profiling, and data harvesting is required. Today, cyberattacks and data breaches are seemingly and unfortunately unavoidable, and hackers will find their way in, but with a preemptive approach to cybersecurity, these threats can be eliminated before harm is done.

Cyber ​​defense must be a priority. Smart Boards will review cyber defense strategies and ensure everything that can be done is in place. From cyber defense technology to regular staff training, everyone in the company, from top to bottom, has a role to play.

And it’s not just about what you did to prevent an attack, but also what you did to mitigate its impact. Having a good understanding of your data infrastructure can pay dividends in the event of an attack. Most financial services companies have dozens of virtual and physical servers. Therefore, a thorough understanding of where customer information, personnel and financial records, partner and supplier information, contracts, documents and operational plans are stored will not only minimize disruption, but will also prove invaluable when assessing the impact on the data you hold and the contractual obligations and deadlines you will need to meet.

The GDPR requires companies to have a clear data retention policy in place – so that data is not only stored in the appropriate place, but that it is not stored for longer than necessary and in accordance with your data retention policy. data retention. When assessing a data breach, the Office of the Information Commissioner will certainly consider the “technical and organizational measure” you have put in place. These include the quality of systems and controls, your policies (and whether you enforce them), and how you ensure your staff are competent. If you can demonstrate them, you will go a long way to mitigating any potential fines.

Preparation for the if not when and resurface with a reputation intact

For an industry that has been marred by a lack of trust, the threat of customers voting with their feet and taking their business elsewhere is very real. But the impact of a successful cyberattack on customer reputation and trust is only part of the story; the impact on IT rebuilds, post-event reporting requirements, as well as large fines for not protecting personal data is a costly and undesirable exercise.

When the worst happens, it’s critical to understand how to secure systems, initiate a forensic investigation, notify the proper authorities, and manage reputation with internal and external stakeholders. This means not only having an incident response plan in place, but also running simulations and drills to ensure each member of the response team knows what their role is, and to spot and resolve any issues before the plan needs to be rolled out for real.

Long after the cyberattack itself, what your staff, customers, regulators and other stakeholders will remember is how you handled the incident. Did you communicate transparently and authentically? Did you help them understand what happened, how they were affected, and help them deal with the consequences? Companies that handle a cyber incident well may actually be able to build trust with certain stakeholders.

As such, communications experts have a vital role to play on a company’s incident response team. And communications must work hand-in-hand with legal and forensic counsel and, if applicable, the company’s insurance provider in the triage of incidents from the initial incident to the point where the communications with all stakeholders can be closed.

From mapping stakeholders to developing messages and materials, managing difficult customer or regulatory questions, media inquiries, reviewing the relevance of broader marketing activity and engagement with shareholders, the role of communications is extensive.

Message control is perhaps most important for mitigating damage and managing reputation. Balancing transparency and patience is key to protecting relationships and limiting negative feelings. Saying too much, too soon, for the purpose of reassurance can often come back to haunt organizations.

Resolving and recovering from cybersecurity incidents will take longer than you think

Cyber ​​incidents are a marathon, not a sprint. The initial phase is focused on business continuity: restoring systems and ensuring you are able to serve customers is, of course, the most pressing priority.

But forensic investigation – sifting through data and logs and, potentially, information provided by cybercriminals, can take weeks, sometimes months. But understanding how and why the attack could have taken place and using this information to secure the future and strengthen defenses is the most valuable lesson of any incident.

Cybercrime is not going away. The reality is that it will become increasingly prevalent for financial services companies large and small, making it one of the biggest modern threats to business. But the organizations that prepare, plan and train are the ones that are likely to be in the best possible position to manage and recover should the worst happen.

Previous Fighting the Cost of SEC Climate Change Rules - Securities
Next Sources of financing for a new entrepreneur