Cyber resilience and insurers: the FCA is awake, are you?
From ransomware to phishing attacks and mass data leaks, the varied and complex risks that cybercrime poses to financial businesses, including insurance companies, should be high on any CEO’s action and review list.
The fact that cyber risk is also firmly on the radar for the Financial Conduct Authority (FCA) should also help with prioritising. Whether you work for one of the largest, global insurers or brokers, or a small-to-medium-sized enterprise, the FCA maintains that it is your responsibility to be aware of the threat from cybercrime, to defend your business and its data effectively, and to respond proportionately to cyber attacks or events.
Leading insurance operations are keenly aware of the risk of cybercrime of course, and offer cyber coverage and risk management support to clients. But insurers and brokers themselves must lead by example, and ensure their businesses follow best practice when it comes to protecting against cyber threats, and in particular protecting the integrity and security of the precious business asset that is their client data.
The latter point is even more pertinent when planning for the implementation of the upcoming General Data Protection Regulation (GDPR), which comes into force in May 2018. There has never been a more relevant time to understand how both interlink, and explore best practice concerning risk reduction, business continuity strategy, and system resilience.
A security culture
According to the FCA, companies of all sizes should develop a security culture that includes every employee from the boardroom down. This includes the identification, prioritisation and protection of all information assets: hardware, software and people. A clear, top-down structure for cybersecurity is required to drive awareness and behavioural change in your organisation.
Cyber risk should be on the agenda of every board meeting and all employees should have a clear understanding of procedures—not just in terms of cyber defence, but also in the event of an attack or breach. Notification and containment are key, and the faster action is taken the better.
Under Principle 11 of the FCA Handbook, financial organisations must report a material cyber incident, including any significant loss of data, loss of availability or control of IT systems, impacts on large number of customers, or any unauthorised access to, or malicious software present on, information and communication systems.
Every organisation is at risk of cyber attack, and if a breach does occur, as well as business interruption and financial loss, the risk of reputational damage is much higher particularly if the organisation subject to the attack did not prioritise cyber defence in the first place.
The FCA urges organisations to share experiences on procedures that really work, to question collectively what the threats are for particular sectors, and whether they are seeing certain trends in certain sectors and not in others.
As well as offering high quality cyber insurance products and risk management support to help the wider world mitigate the risks of cybercrime, the insurance sector must work together to share information on their own risks, and actively assess the best strategies for prevention.
The FCA is committed to raising the profile of cybersecurity and supporting financial organisations in facing this challenge. FCA chief operating officer Nausicaa Delfas is delivering a keynote address at the 16th November Cyber Security Summit at the London Design Centre.
Delfas is speaking alongside senior public and private sector figures, including Mark Sayers, deputy director of cyber and government security at the Cabinet Office, and Chris Ulliott, chief information security officer at the Royal Bank of Scotland.