Cyber: the risk of ignorance

A report published by the government this week revealed the fact that only 16% of boards of FTSE 350 firms claim to fully understand the impact of loss or disruption associated with cyber threats, despite 96% having a cyber security strategy in place.

While this report looked at the positions at listed firms generally, it does include figures broken down by industry sector and so does include figures for the financial services sector specifically. It is also generally illustrative of the challenges faced by the senior management of financial services firms which, while more aware than their peers in some other industries, still have work to do.

Cyber resilience remains high on the agendas of both the FCA and PRA, and both regulators are likely to become increasingly frustrated with firms which have not yet grasped the significance of the issue and put mitigation plans in place appropriately.

It is important that firms understand the risks that they are trying to protect against and educating senior management is time well spent. Taking the time to identify and acknowledge a knowledge gap is likely to be much more productive than muddling along in a state of confusion or ignorance. This will help a true appreciation of the risks involved.

Once the potential consequences of getting the response wrong are understood, financial services firms should ensure that the issue maintains the attention of senior management as a firm-wide issue (or becomes a firm-wide issue, if it is not already) and does not become considered as principally an IT issue/risk. After all, the regulators have each stressed that cyber is not just a technology risk (although it certainly is), but also a human risk.

According to the report cited above, the principal human risk may still be lack of understanding at the top of the true scale and nature of the risks faced. Boards of financial services firms should ensure that doesn’t apply to them, and that evolving risks continue to be understood, as their first priority.