, cyber safety
, cyber security
Can traditional risk management frameworks protect a firm from the ever increasing cyber threat? What role do financial crime systems and controls, requirements, business continuity, data loss prevention and traditional fraud prevention techniques play in the defence against sophisticated and targeted cyber attacks?
The following is an extract from the last edition of ICA's quarterly journal for members, inCOMPLIANCE:
UK regulated firms must apply the FSA’s Principles to their operations. Principle 3 concerns Management and Control and having “adequate risk management systems”. Section 6.3.1 of the Senior Management Systems and Controls (SYSC) within the FSA Handbook is usually quoted with regards to financial crime risk management. This requires a firm to establish systems and controls which enable it to identify, assess, monitor and manage financial crime risk, moreover being comprehensive and proportionate to the nature, scale and complexity of its activities. However, section 6.1.2 must also be considered, as it requires firms to “implement and maintain adequate policies and procedures designed to detect any risk of failure by the firm to comply with its obligations under the regulatory system”. Yet the traditional risk management framework, whereby an inherent risk assessment is produced, followed by an assessment of the controls environment in order to produce a residual risk assessment, will typically focus primarily and almost exclusively upon the risk drivers identified within SYSC 6.3.6, namely:
- customer, product and activity profiles
- distribution channels
- complexity and volume of transactions
- processes and systems, and
- operating environment
Cybercrime is a natural consideration within all of the above risk drivers, yet many financial institutions do not formally measure, assess or manage this specific risk. Cybercrime is a global, dynamic and highly diverse threat that many firms have struggled to tackle in isolation using traditional risk management techniques. The situation is exacerbated by the need to manage a number of distinct but related disciplines across organisational boundaries. However, by applying sound risk management principles and practices, cyber threats against an organisation can be mitigated, although risk-reward considerations and external dependencies place limitations on the extent to which this can be achieved.
A growing issue
According to Interpol, cybercrime is one of the fastest growing crimes. Other sources confirm it as one of the top four economic crimes, while Symantec estimates that cybercrime costs $388bn globally with global consumer cybercrime in the year to September 2012 totalling $69bn. The Office of Cyber Security in the Cabinet Office estimates that cybercrime costs the UK economy £27m annually, while Symantec estimates that 12.5m people were victims in the UK, suffering £1.8m in direct losses.
The World Economic Forum highlighted the growing risk of cybercrime in 2012 at Davos. Such statistics and publicity, apart from demonstrating difficulties in accurate measurement, suggest that all institutions within the UK, including financial institutions which have regulatory requirements to fulfil, should assess their own and their clients’ exposure to cybercrime risk as a matter of course.
Despite regulatory crackdowns and increased international cooperation “it has never been easier to become a cybercriminal” according to William Hague, the UK Foreign Secretary, speaking in October 2012 at the International Cyber-Security Summit in Budapest. Cybercriminals are able to target individuals, governments and organisations around the world through fast and flexible technologies under a shield of anonymity. Regulators and businesses are in a perpetually reactionary state, as both attempt to prevent and reduce the losses caused by cybercrime through a series of initiatives, all of which lag behind the expertise of those engaging in cybercriminal activities.
If you are an ICA member you can log into the ICA website and read the rest of this article here
Find out more about becoming a member here
Andy Caines is a Manager and Jodi Schutze an Associate in Ernst & Young’s EMEIA Financial Services Advisory team.