There is, however, a particular problem with financial institutions and cybercrime. Our blunt conclusion is twofold:
- They are attractive to cyber criminals. Fund managers and hedge funds are not afraid to promote what they do. “We have a £xbn fund”, “we have £xm’s of assets under the management”. The bigger the perceived prize, the greater the motivation for cyber criminals to break down the security.
- Those working in financial services are money people. Experts in managing money, not experts in IT security. This is particularly pertinent to the small financial services firms such as boutique fund managers and hedge funds who often manage £X millions, but don’t necessarily have the same level of protections as you see from the larger institutions. Nor would you expect a fund manager with £100m assets under management to have the same level of security as a bank for example. But this again, makes the small firms a more attractive target.
One of the most common types of cyber claims we see affecting financial institutions is what is known as social engineering. This is when cyber criminals intercept calls or emails, pretending to be someone they are not using hacked email accounts or setting up dummy email accounts that look and feel just like a standard email. They use these accounts to request the transfer for funds from A to B, with B usually being the criminal’s bank account. The most common of which is a criminal pretending to be a senior manager or company director and demanding an employee or numerous employees make an urgent transfer on their behalf. They will often provide legitimate reasons and a plausible explanation for the urgent transfer request, even using the same language and tone of voice within emails as the person they’re imitating.
One of the best prevention strategies for such instances is education. Educating firms and their employees on the techniques criminals use, often through phishing emails. We have even heard of larger institutions running “phishing tests” whereby they employ specialist cyber experts to send phishing emails and then detect which employees detect the phishing and which don’t. Such exercises test the company’s resilience to such crimes, and can also be used as an education for all involved.
We suggest all financial institutions should spend as much time and resources as practically possible to improve their cyber security, in proportion to the size of the business. I once attended a lecture where the lecturer explained that any business that wishes to grow should spend a minimum of 5% of revenue on marketing. I had always believed that the broad brush approach was a load of nonsense and I did wonder whether the lecturer had ever run a business. But, if someone were to say to me now that businesses should spend say 2% of revenue on cyber security and cyber insurance I would certainly agree, especially if that business were established and profitable. Until companies build their resilience to prevent such claims, I’m afraid things will only get worse and all those working in financial services will continue to be a prime target for cyber criminals.
Prevention is better than cure, but cyber insurance can be a very helpful cure when all else fails.