October is cybersecurity awareness month, a campaign to help organisations protect themselves against potential hackers.
It is particularly pertinent this year as it follows a number of well-publicised data breaches within the financial services industry, as well as a recent attempt made by cybercriminals to infiltrate the BBC by bribing a journalist.
Just as mechanisms to prevent cybercrime become more sophisticated, so do the lengths to which hackers will go to extort money or data. As the BBC example demonstrates, often the perceived weakest link is the human element.
Cyber incidents are on the rise across the financial sector and for advice firms, the risks are acute. You hold sensitive client data about high-net-worth individuals – temptation indeed. For this reason, employees could be seen as attractive targets for cybercriminals.
The FCA and NCSC have both issued recent warnings about increased targeting of smaller regulated firms, and, as more of us embrace digital platforms and remote working, the attack surface continues to expand.
No business is immune, but having robust controls and tested incident response plans can significantly reduce both the impact and the regulatory consequences of a breach.
How to tighten your cybersecurity
This month’s ICO newsletter included a stark warning about cybersecurity. In 2023, hackers stole personal client information from Capita, including pension records, financial data and special category data, resulting in a £14m fine.
All firms have a legal obligation to ensure their systems and controls are adequate to secure and protect the data they hold. So, how can you defend yourself against an attack?
First, educating staff is crucial. You should be providing regular cybersecurity and anti-bribery training, including awareness of insider threat tactics, such as social engineering, multi-factor authentication (MFA) bombing and ‘trust deposits.’
You also need to make sure your anti-bribery policies are up to date and that they cover offers of money, gifts or cryptocurrency for system access or data.
Run periodic employee access reviews and always apply the rule of least privilege.
Remove unnecessary permissions and disable dormant accounts to ensure staff can only use the systems and data they need to fulfil their role.
Make sure new starters are screened appropriately and conduct background and credit checks on all personnel to help identify potential vulnerabilities.
Then, monitor and detect. Enable alerts for unusual log-in attempts or repeated MFA requests and use dark web monitoring for exposed credentials.
Strengthen your protections by implementing phishing resistant MFA for all accounts – especially those with administrative rights – and maintain clear reporting processes.
Staff should also know exactly who to contact if they suspect a threat or breach.
What to do if someone is approached
The National Crime Agency advice is to never pay a ransom. Instead, focus on prevention and preparation and do not underestimate how creative and persistent cybercriminals have become.
If an employee is approached by a suspected hacker, they should not respond or engage.
Always avoid sharing information, running commands, or approving MFA requests.
Preserving evidence is key, so take a screenshot of the communication and gather as many details as possible. Do not try to fix or hide a data breach.
If you have internal IT support, HR or a compliance team, report the threat to them immediately and cooperate fully with their instructions.
Alternatively, follow your incident response plan so that senior management can escalate the threat to the police or regulatory bodies, if necessary.
Once the dust has settled, decide if any follow-up training or debriefs are required to prevent future incidents.
The value of preparing early
Employees within the financial services industry are attractive gateways for cybercriminals and so it’s important to understand the regulatory and financial consequences of ignoring your responsibilities.
There’s also the operational and reputational damage a data breach can do to your firm to consider.
You may think the time it takes to draft policies and train staff could be better spent elsewhere, but handling a complaint that arises from a data breach will take much longer.
The Financial Ombudsman recently upheld a case against Eastwood Financial Solutions (EFS) after fraudsters accessed a client’s ISA account and attempted to withdraw nearly £10,000. Although the transfer was stopped in time, personal and financial data was compromised.
EFS chose not to contest liability, but argued the proposed redress was excessive. The ombudsman disagreed, ordering the firm to pay £400 for distress and inconvenience and a further £899 to cover five years’ data monitoring.
This case reinforces the FCA’s expectations that firms must have effective systems and controls to manage operational and data security risks and highlights the need for clear communication and swift incident responses.
Both can significantly reduce both the impact and regulatory consequences of a breach.
B-Compliant is a financial planning and compliance support company
