TalkTalk thinks this autumn’s cyber attack could cost it £35m – and that’s before the reputational damage that the telecoms company has suffered at the hands of its tormentors. To which leading financial services companies – and their regulators – should be thinking, “there, but for the grace of God, go I”.

So far – touch wood – the financial services sector has escaped a major cyber attack. But this hasn’t been for want of trying: leading banks now report hacking attempts on an almost daily basis. Sooner or later, it seems likely, terrorists, criminals, industrial spies or hackers simply seeking bragging rights are likely to break through their defences.

Even without such a scandal, the threat posed by cyber security now represents a risk in itself for the financial services sector. Those whose job it is to hold firms to account are taking an increasingly aggressive stance on this issue.

Above all, banking regulators are determined to ensure the industry’s defences are robust. The Bank of England’s Financial Policy Committee and its Prudential Regulation Authority have both demanded that the banks provide evidence they are maintaining tough controls against cyber attack – and under the CBEST regulatory programme, the regulators conduct regular penetration testing.

The Bank is also aware of the systemic threat posed by cyber attack – last month’s Operation Resilient Shield saw regulators on both sides of the Atlantic participate in a simulated cyber attack exercise that aimed to test the way leading banks and regulatory institutions would communicate in the event of a serious breach.

Those institutions found wanting face serious consequences. The Bank of England has even warned banks could be required to hold additional capital as a buffer against the potential cost of a cyber attack, if their defences are not considered sufficiently secure.

This more demanding regime is mirrored in the increasing attention that credit rating agencies are now paying to the issue of cyber risk. Standard & Poor’s recently warned that it sees cyber attack as “an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades”.

To be clear, S&P isn’t saying it would wait until a bank has been attacked to downgrade its credit rating. Rather, it could lower the rating of any bank that it judges not to be properly prepared to defend itself, with all the consequences such a downgrade could have.

The message is clear: those financial services businesses that do not prioritise cyber security risk not only falling prey to a damaging attack, but also regulatory and investor-led action against their lack of readiness.

Either way, the potential fall-out in the sector would be disastrous. While financial services businesses have lost public trust since the financial crisis of seven years ago, surveys of public opinions suggest that banks and other institutions are still seen as more secure than new industry entrants – it’s one of the few things the incumbents still have going for them. Any erosion of public confidence in the cyber security of the industry would make TalkTalk’s problems look decided small beer.


Webinar recording: Cybersecurity and the New Definition of ‘Adequate’

Webinar Replay: Cybersecurity and the New Definition of 'Adequate'The threat landscape for financial institutions has changed considerably since the DDoS attacks of 2012. Watch this webinar with Rich Bolstridge, Chief Strategist, Financial Services, at Akamai Technologies for an overview of how the definition of “adequate cybersecurity” has shifted.


David Prosser
Follow me

David Prosser

David is a multi-award winning business journalist having been in the profession for more than 20 years. Beginning his career as a writer for Pensions Management, he has now written for almost every national UK paper, holding senior roles at the Independent and Daily Express in the process. He now writes regularly for The Times, The Independent, Evening Standard and Forbes.
David Prosser
Follow me