The financial sector contains all the elements to make it the perfect target for cyber crime
Telecomms giant Talk Talk and affairs facilitator Ashley Madison may have made headlines when they suffered data breaches last year, but a report due out on Tuesday will warn that the financial sector is the real top target for cyber attacks.
The study by Marsh and TheCityUK will explore the extent of the risk that cyber crime poses to the City of London, and the findings make for fairly distressing reading.
"[The financial sector is] in some ways the perfect target for the crime," Mark Weil, chief executive of Marsh and chair of TheCityUK Cyber Taskforce, told City A.M. ahead of the report's release. "You've got a concentration of data and money in the system which is going to attract criminals."
He continued: "Secondly, there are some very high-profile public names out there which are going to attract the risk as well as others with political points to score. Finally, it's at the centre of the economy so, if you can disrupt the financial sector, it’s a form of critical infrastructure…so it’s going to attract hacktivists, terrorists, hostile states and the like."
Read more: UK security services fail in bid to get hacker to hand over passwords
Chris Cummings, chief executive of TheCityUK, pointed out that the sheer number of household names in the financial sector puts it high on the list of potential targets for somebody with an axe to grind and good working knowledge of a computer.
Cummings remarked that many in the financial sector "will inevitably be caught up by people who are hacktivists, those people who either just want to ping the system or are motivated by other reasons, whether that's unsatisfactory customer service or feeling hard done by".
There is also more that can be done to protect businesses.
Read more: More proof British business is terrible when it comes to cyber security
"Because of its relative newness, most of the boards of companies in the UK's financial centre in London are not steeped in cyber as part of their business experience and their background," commented Marcus Scott, operating chief at TheCityUK.
Earlier this month, a government report discovered that more than half (54 per cent) of boards at FTSE 350 companies only heard about cyber security on the occasional basis, or when something had already gone wrong.
Weil agrees that there is still the tendency for businesses to assume that cyber falls purely into the IT department’s domain, although he adds “the more enlightened ones are starting to treat it slightly differently as a broader business risk”.
Read more: Banks have been warned they're vulnerable to this specific new cyber attack
Cummings stressed that it was important to finally land cyber as a “board issue, not because it’s a technology scare, but because it’s a straightforward people issue”.
It doesn’t help that cyber is still somewhat shrouded in mystery, with many failing to recognise that the terms can be applied to numerous incidences – from frauds to attempts to take down entire systems – rather than one particular type of event. Weil believes that treating cyber events as one overarching issue is like “conflating petty theft or pickpocketing with jihadism and active war”.
Weil also pointed out that many people get distracted by the risk of fraud and forget that “you have people who would just literally love to put a bank down, or indeed take the system down, if they could and that clearly has rather larger consequences than an element in the p&l of a credit card business.”
Read more: Cyber crime: The new business battle ground
The launch of the report also comes not long after the General Data Protection Regulation made its way through EU Parliament. Although it won’t come into force until 2018, new rules introduced by the regulation include, the potential to fine firms up to four per cent of their global turnover for failing to keep information as secure as they should have done.
“That’s going to make people more concerned about financial consequences [of cyber attacks],” Weil pointed out.
However, businesses must still be aware of the reputational effect that a cyber incident can have on their business, with Weil pointing out: “It’s not just about having data stolen. It could be about your ability to trade and ability to retain confidence of people, particularly…for a bank where you have got a liquidity risk, the last thing you want is to either not be able to help your customers to transact or for people to lose confidence.”