No, I’m not trying to sell you a cybersecurity system or consulting package. I just spend a lot of time thinking about risks in the capital markets sector and assessing how these might change the industry in the future, and cybersecurity has been a recent preoccupation of mine.
The European Securities and Markets Authority (ESMA) Trends, Risks and Vulnerabilities (TRV) report is one of my must reads when it comes out every quarter and every report has featured something about cyber-risk, generally with large, red warning signs. The geopolitical environment is, as well all know, a bit of a mess at the moment and cyber-crime is on the up. It’s increasing due to the funding of nation states, professional criminals and, well, frankly it could be Dr Evil types out there lurking in underground bunkers for all we know.
The latest TRV is pretty concerning on the attack front as it highlights the financial services industry now accounts for 12% of all cyberattacks globally, up from 4% in early 2019. The number of publicly-acknowledged cyber-attacks hit a peak in the second half of 2022 at around 90, up from less than 10 in early 2019. And that’s just the publicly-acknowledged attacks—think of it as the tip of the veritable iceberg of what’s going on out there in the industry.
I’ve spoken to a fair number of chief information security officers (CISOs) over the last couple of years and all of them acknowledge that firms have to deal with the eventuality that they’ll be successfully attacked at some point. But there’s only so much a CISO can do on his/her/their own, or even with a dedicated team. The whole organisation needs to know how to respond when such an event happens. Think about it, do you know what you’re supposed to say to clients if they ask? Which mission critical systems are likely to be back online the quickest? Where do you go to find out more information internally if the CISO and team have their hands full?
No doubt, we’ve got better at identifying phishing emails, but they’re getting more sophisticated by the generative artificial intelligence minute. Has your firm’s cyber policy moved with the times? Are you paying enough attention to any cyber-exercises or are they merely another box to tick?
There are a lot of questions to think about when you start to really look at what happens when a cyber-attack is successful. For an industry built on trust and increasingly digitalising, we have to get this stuff right or risk obsolescence. Regulators are right to be worrying about firms digitalising assets and the moving to the cloud. Technology reduces some risks and improves efficiency (hopefully), but it also introduces wholly new risks. I’m not suggesting we keep everything in the Stone Age, but we do have to consider cybersecurity when it comes to all of these things. Everything from adding a new application programming interface to using a new comms tool can cause issues.
CISOs often describe cybersecurity exercises around attacks in a manner similar to a military operation, where the troops are everyone from ops and IT to client services reps. Everyone has their defined roles and their specific objectives such as client communications or system checks. So, get out your virtual fatigues soldier, ten-hut!