The evolving Cyber Threat landscape.
At present one of the most prolific cyber threats is data exposure. In October 2022 alone, 134 organisations in the UK reported cyber-crimes including 33 reports related to "Business Email Compromise" enabling the attacker to steal personal information. In addition to the impact of malware on infrastructure, exfiltrated data enables hackers to deploy double and triple extortion attacks.
The size of an organisation is no longer a selection factor for hackers. According to the NCSC Small Organisations Newsletter - December 2022:
"Organisations with less than a £1.5 million turnover continue to be the most targeted by threat actors, accounting for 54% of reporting, with 58 of the reports coming from ‘Micro’ businesses (Sole Traders, and businesses with 1-9 employees)."
Companies are no longer approaching cybersecurity as if an attack will happen, but when. At any time before or during an attack, how a company reacts will be monitored by regulators and insurers alike. The effectiveness an organisation’s preparations for, and response to, a cyber-attack can be the difference between a company surviving or collapsing following a breach.
The changing regulatory landscape
New FCA and PRA operational resilience requirements came into force on 31 March 2022 and the regulators’ focus on cyber resilience formed a key element of the FCA’s 2022/23 Business Plan published on 7 April 2022. Analysing the published review by Regulation Tomorrow, key expectations include:
- Prioritise governance: firms must ensure they have an appropriate internal governance process for dealing with the aftermath of a cyber threat or attack, including processes to validate the integrity of information affected by the disruption, implement the business continuity plan, communicate internally with relevant stakeholders and escalate and report to senior management and the board as appropriate...
- Recovery: any continuity plan should also be subject to rigorous and regular review and testing, and firms should adopt a risk-based approach to getting systems and processes up and running.
The "ever increasing £" of cure
As with any business risk, organisations invest in cyber risk insurance policies to help them mitigate the financial impact of an attack. Cyber insurance policy issuers are looking to reduce their exposure to breach events. Whether by refusing quotes to organisations without effective cyber programs, removing clauses from existing policies where companies are not keeping up with changes in the threat landscape or adding a ‘cyberwar clause’ to existing policies, lowering the insurer’s risk means increasing the policy holder’s risk.
So, how about that "ounce of prevention"?
As with any type of insurance, organisations need to demonstrate preparedness for events covered by the policy. Companies must regularly run disaster recovery tests, major incident exercises and data breach incident response assessments to train staff and ensure that policies and procedures are 'fit for purpose'.
Data breach mitigation techniques include:
- Data Breach incident response plans
- Incident response plan precis
- Customised procedures that effectively support communications across all levels of an organisation
- Demonstration of preparedness for Data Breach events and impact mitigation
We have expanded our financial service consulting portfolio to include cyber security solutions aligned to the unique needs of the financial services marketplace. Embedding Altus' market leading program delivery skills into cyber engagements ensures that the results organisations receive are timeous and cost efficient.