Get to grips with your Cyber Risks

There has been much coverage of this topic in the mainstream media, and this has only increased following the recent ‘WannaCrypt’ ransomware cyber-attack on the NHS and other entities in the UK and indeed worldwide.

One important distinction that needs to be made here and now is that this is not so much a browser-related issue this time, but an operating system issue – highlighting the need to update and maintain all the software that is installed on your computer, not just your web browser. 

This topic has come up several times in recent months, where firms have been identified as continuing to use Windows XP or Vista-based devices for their core business, despite support for XP-based systems having been ended by Microsoft in April 2014 (12 years after its launch), and Vista support being completely withdrawn earlier this year (10 years after its launch). 

According to the BBC, Sky News and other media outlets, one of the reasons that the recent attack spread so widely and so fast in the NHS was that most of the affected devices were still running Windows XP.

The key message from data security professionals is that this is amongst the biggest examples so far of this type of attack, and that the impact of this attack is much less serious when firms have got robust backup procedures in place.

Inevitably, as people improve their security against one type of attack, criminals will find a new way to cause problems - rather than reacting to a known threat, we should be preparing for any threat and ensuring that systems/processes are robust and that everyone is familiar with them. 

Preparations can range from the one end of the scale, where every employee is expected to behave in certain ways and avoid ‘risky’ behaviours, right through to the full Disaster Recovery (or Business Continuity) Plan and knowing who's responsible for things and how to implement a recovery of data/systems.

RWA, via the Development Zone, can help with the re-education process with a specialist Cyber Risks Pathway, which has numerous modules to help. 

Our HR team can also assist with ensuring your contracts and staff handbooks reflect what is needed, and our Solutions team can certainly help with any reviews of your business.

There are several actions that a firm can take ranging from re-educating staff about phishing emails and downloading files from innocuous looking sources (such as screensavers), through to a full review by a security professional. Firms may also need to look at the hardware and software they deploy to see how ‘modern’ it is and replace as needed. 

Firms should also review whether existing policies and procedures are being carried out – the most recent cyber-attack used a vulnerability that had been publicised and ‘patched’ in March, yet some organisations failed to update their systems until after the attack in mid-May.

This may not be an inexpensive job, but when seen against the loss of data and the threat to your business, it may be money well spent.

Also, do you back up all your data on at least a daily basis? If you do not back up or carry out these back-ups less frequently, you are at risk of losing potentially significant amounts of data that you cannot recover. This could put at risk the viability of parts of your business; please remember that the fifth FCA Threshold Condition (COND 2.7) requires you to have a sustainable and viable business model.

This is not just a Data Security or Data Protection issue (the new General Data Protection Rules in 2018 will dramatically increase not just the work needed and also the consequences of non-compliance), it is also a T&C issue in ensuring staff are robustly trained in such matters.

Experts at the UK’s National Crime Agency (NCA) said they were shocked at the age of many of those wreaking havoc online. The average age of a hacker is just 17 years old, with many much younger and using games consoles to hack other systems after exploring the ‘dark web’. It does not need sophisticated or expensive computer kit to get started nor a Master’s degree in Computer Science from Oxford!

So far, we have not mentioned the FCA very much, so what is their take on this issue? 

Well, this forms part of any firms overall Systems & Controls and the regulator will expect all firms to have processes in place to protect the customer and their data and be able to respond to matters such as this, taking expert or professional advice as needed.

Firms should bear in mind the Principles for Business and in particular the following:

  • Principle Two - A firm must conduct its business with due skill, care and diligence.

Failure to have effective IT safeguards would certainly mean a firm falling foul of this.

  • Principle Three - A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

Risk Management would certainly cover a firm’s vulnerability to cyber attacks.

  • Principle Six - A firm must pay due regard to the interests of its customers and treat them fairly.

How can you treat customers fairly when you cannot guard their data or deal with questions and queries if you have no access to your systems?

  • Principle Ten - A firm must arrange adequate protection for clients' assets when it is responsible for them 

It can be argued that the biggest client asset you hold is their data.

The FCA has asked all firms to ensure that they review the latest guidance from the National Cyber Security Centre, which can be found at:

https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance

The coverage of the NHS has certainly made us sit up and take notice and unfortunately, Insurance Brokers are not immune and we have had reports of some firms being held to ransom or suffering successful ‘phishing’ attacks, so do not think it cannot happen to you or that your systems are good enough, no matter how good, sooner or later somebody will try and attack you.

Speak to your IT professionals or engage one as soon as you can to carry out a review, speak to us at RWA if needed.

Remember, given the high profile of this topic, the FCA and the ICO will not be sympathetic if you get caught out and have not done everything you can to protect the client and your firm.

Terence Clark
Chairman

About the author

Terence is the Compliance Director at RWA. He has over 35 years' experience in the Financial Services environment, covering general insurance, investments and mortgages. Before joining RWA, Terence worked for a large PLC insurance brokerage in Manchester, overseeing some 20 acquisitions. He was made a Director of RWA in 2011 and has worked with insurance broking firms of all sizes across the UK. He has a particular interest in Financial Crime and the protecting the insurance broker. Terence is also Executive Chairman of the Association of Professional Compliance Consultants (APCC), the professional body for the compliance consultancy sector.

Terence Clark

Get RWA Insight In Your Inbox

Regular business news and commentary delivered direct to your inbox each week. Sign up here