TalkTalk thinks this autumn’s cyber attack could cost it £35m – and that’s before the reputational damage that the telecoms company has suffered at the hands of its tormentors. To which leading financial services companies – and their regulators – should be thinking, “there, but for the grace of God, go I”.
So far – touch wood – the financial services sector has escaped a major cyber attack. But this hasn’t been for want of trying: leading banks now report hacking attempts on an almost daily basis. Sooner or later, it seems likely, terrorists, criminals, industrial spies or hackers simply seeking bragging rights are likely to break through their defences.
Even without such a scandal, the threat posed by cyber security now represents a risk in itself for the financial services sector. Those whose job it is to hold firms to account are taking an increasingly aggressive stance on this issue.
Above all, banking regulators are determined to ensure the industry’s defences are robust. The Bank of England’s Financial Policy Committee and its Prudential Regulation Authority have both demanded that the banks provide evidence they are maintaining tough controls against cyber attack – and under the CBEST regulatory programme, the regulators conduct regular penetration testing.
The Bank is also aware of the systemic threat posed by cyber attack – last month’s Operation Resilient Shield saw regulators on both sides of the Atlantic participate in a simulated cyber attack exercise that aimed to test the way leading banks and regulatory institutions would communicate in the event of a serious breach.
Those institutions found wanting face serious consequences. The Bank of England has even warned banks could be required to hold additional capital as a buffer against the potential cost of a cyber attack, if their defences are not considered sufficiently secure.
This more demanding regime is mirrored in the increasing attention that credit rating agencies are now paying to the issue of cyber risk. Standard & Poor’s recently warned that it sees cyber attack as “an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades”.
To be clear, S&P isn’t saying it would wait until a bank has been attacked to downgrade its credit rating. Rather, it could lower the rating of any bank that it judges not to be properly prepared to defend itself, with all the consequences such a downgrade could have.
The message is clear: those financial services businesses that do not prioritise cyber security risk not only falling prey to a damaging attack, but also regulatory and investor-led action against their lack of readiness.
Either way, the potential fall-out in the sector would be disastrous. While financial services businesses have lost public trust since the financial crisis of seven years ago, surveys of public opinions suggest that banks and other institutions are still seen as more secure than new industry entrants – it’s one of the few things the incumbents still have going for them. Any erosion of public confidence in the cyber security of the industry would make TalkTalk’s problems look decided small beer.
Latest posts by David Prosser (see all)
- KIIDs reform: compliance burden or marketing opportunity? - June 12, 2017
- Do elections matter to fund investors? - May 31, 2017
- Why asset managers must learn to love fund research agencies - May 11, 2017