Category Archives: Cyber Security

SEC “Cybersecurity is one of the greatest risks facing the Financial Services Industry”

SEC

Mary Jo White, Chair of the U.S. Securities and Exchange Commission (SEC), delivered a Keynote Address Investment Company Institute 2016 General Meeting in Washington, DC on the 20th May

The Commission is the primary regulator of the mutual fund industry which is comprised of 8,131 mutual funds with approximately $15 trillion in assets held by 54 million U.S. households as of March 2016.

White advised that the current and future health of the markets and the financial security of investors depend on the success of both its regulatory efforts and how well the industry participants do their jobs as fiduciaries and responsible leaders of the marketplace.

She highlighted 3 significant areas of regulation for the asset management industry:

  • controls on conflicts of interest;
  • a robust registration, reporting and disclosure regime; and
  • controls on specific fund portfolio composition risks and operational risks

Looking to the future, White highlighted disclosure effectiveness and ETFs as key areas of focus for the SEC. She also highlighted a number of areas where the sector must take the lead.

White believes a key challenge for the industry is the risk in using technology and service providers. She stressed the importance of firms ensuring that a fund is adequately prepared to promptly and effectively respond to risks that may be triggered by service providers and its own use of technology, including implementing alternative and reliable means to satisfy the fund’s regulatory requirements.

Cybersecurity is a particularly critical element of this challenge – as I have said before, cybersecurity is one of the greatest risks facing the financial services industry.  Cyber risks can produce far-reaching impacts, and robust and responsible safeguards for funds and for their investors must be maintained”.

The Commission has been very active in drawing attention to the issue and examining and enforcing the rules it oversees in respect of cybersecurity. Its regulatory efforts are focused primarily on ensuring that our registered entities have policies and procedures to address the risks posed to systems and data by cyber-attacks.

While no one can prevent all disruptions from cybersecurity events, you should consider the full range of cybersecurity risks to your funds and consider appropriate tools and procedures to prevent breaches, detect attacks and limit harm”.

BRG recently undertook a Cybersecurity Preparedness Benchmark Study. The study examined six main areas:

  • Leadership
  • Information Governance
  • Risk Management
  • Essential Protection
  • Incident Response and
  • Security Culture

For financial services, BRG partnered with the Institute of Operational Risk.

The results of the Benchmark will be released shortly.

For further information, please contact:

USA:                      Faisal Amin         famin@thinkbrg.com

UK/EMEA            Tony Moroney  tmoroney@thinkbrg.com

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

65% of UK large businesses experience a cybersecurity breach / attack

BRG cyber securityIpsos MORI and its partner, the Institute of Criminal Justice Studies (ICJS) at the University of Portsmouth, were commissioned by the UK Government’s National Cyber Security Programme to survey UK businesses on their approach to cyber security and the costs they have incurred from cyber security breaches.

The Cyber Security Breaches Survey found that 65% of large businesses experienced a cybersecurity breach or attack in the past year with 25% of these experiencing a breach once a month.

The most common attacks detected (68%), involved viruses, spyware or malware. Key areas for improvement included incident response and staff training.

Ed Vaizey, Minister of State for Culture and the Digital Economy said: “We see a steady stream of breaches and attacks on firms which assume they are on top of security, but still haven’t got a good understanding of the possible impact on their business or what they should do about it”.

Results from the survey are being released alongside the Government’s Cyber Governance Health Check (launched following the TalkTalk cybersecurity attack); the Health Check found that almost half of the top FTSE 350 businesses regarded cybersecurity attacks as the biggest threat to their business when compared with other key risks – up from 29 per cent in 2014.

BRG recently undertook its own Cybersecurity Preparedness Benchmark Study. The study examined six main areas:

  • Leadership
  • Information Governance
  • Risk Management
  • Essential Protection
  • Incident Response and
  • Security Culture

For financial services, BRG partnered with the Institute of Operational Risk.

The results of the Benchmark will be released shortly. For further information, please contact:

USA:                      Faisal Amin

UK/EMEA            Tony Moroney

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

Insurers ‘vulnerable’ to cyber attacks

the light trails on the modern building background in shanghai chinaThe International Association of Insurance Supervisors (IAIS), a voluntary membership organisation of insurance supervisors and regulators from more than 200 jurisdictions in nearly 140 countries, has stated that insurers face potential loss of confidential data, disruption of operations and reputational loss as a result of cyber risks.

IAIS in its new consultation paper on cyber risk stated:

“The insurance sector is vulnerable to cyber incidents; insurers collect, process, and store substantial volumes of data, including personally identifiable information”.

“Insurers are connected to other financial institutions through multiple channels, including investment, capital raising, and debt issuance activities”.

“Insurers execute mergers and acquisitions and other changes in corporate structure that may affect cybersecurity”.

“Insurers outsource a variety of services, which may increase exposure to cyber risk.”

The report highlights examples of cybersecurity weaknesses in the insurance sector. It also acknowledges that supervisors are addressing cyber risk through appropriate regulation and supervisory processes including:

  • The security of private information held by insurers and intermediaries;
  • Financial crime undertaken through cyber means; and
  • Business continuity and disaster recovery planning for individual insurers and intermediaries and potentially, for the insurance sector as a whole.

In addition, the requirements for the conduct of insurance business include provisions relating to privacy protection under which insurers and intermediaries are allowed to collect, hold, use, or communicate personal information of customers to third parties.

BRG will shortly be releasing the results of its Cybersecurity Preparedness Benchmark Study. If you would like to discuss our findings, please contact:Tony Moroney (BRG, EMEA) or Faisal Amin (BRG, USA)

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

See BRG white papers:

An Alternative Route to Risk-Aware Working

Board Responsibilities for Cyber Security

The “Cultural Firewall”: Reducing Security Risk by Transforming Security Culture and Behavior

Cyber-security : Are you prepared?

by Michael Champion, Management Consultant, BRG mchampion@thinkbrg

 

It is just under a month and a half into 2016, and we already have over 60 confirmed data breaches exposing over 1.4 million personal information records[1]. And this is only considering personal information leaks, not breaches in which the target is intellectual property. It is no longer the mind-set of companies to think ‘Have we been breached?’ but rather ‘When were we breached, and did we catch it and resolve it?’ So now is it time for organisations to become aware of their own security? Continue reading Cyber-security : Are you prepared?

BRG Develops Cybersecurity Preparedness Benchmarking Study

Cyber Risk Preparedness Benchmark StudyEMERYVILLE, CA – Leading strategic advisory and expert consulting firm Berkeley Research Group in conjunction with the Institute of Operational Risk has launched its Cybersecurity Preparedness Benchmarking Study (CPBS).

BRG Director Faisal Amin is leading the study and is supported by Michael Champion, a cyber expert in BRG’s London office. The study offers participants an opportunity to gauge their companies’ security capabilities and readiness in the case of a cybersecurity breach.

“As with every industry, financial services accepts that there are only two kinds of company when it comes to cybersecurity: those who have been hacked and those who don’t know they’ve been hacked”, said Tony Moroney, Managing Director for Governance, Risk and Culture in BRG’s international financial services team.

“With the increased sophistication of cyber criminals and constantly evolving technology, it is impossible to prevent a breach altogether. Companies must seek to mitigate the damage that a cyber breach may cause their company through detailed analysis of their technology, processes and critically, their people.

“Regulators expect firms to understand both strategic and operational risks and to be able to provide assurances regarding their firms’ cybersecurity preparedness”.

Faisal Amin added, “We’ve created this in-depth study to enable companies to understand their security culture structures to improve their security and protect valuable intellectual properties.

“All too often cybersecurity is delegated (or relegated) to IT and security teams. Clearly the technology is a core aspect of what needs defending in any cybersecurity plan but it is not the only source of the problems. As we’ve seen with some of the major hacks in the past year, a company’s processes, supply chain and people can be the source of breaches both malicious and unintended. We have created this study to investigate the source of problems and will be benchmarking companies and industries to monitor trends.”

“CSOs and CISOs have had difficulty measuring and communicating the effectiveness of their security and compliance investments”, said George Clark, Chairman of the Institute of Operational Risk. “Cyber risk has emerged as the most common operational risk concern cited by respondents in a recent survey of op risk practitioners. The CPBS study offers a solution to this challenge. We are delighted to have partnered with BRG on this important initiative.”

The study will deliver security scorecards and specific benchmarks to survey respondents and will aid firms to strengthen their security performance management program based on objective, fact-based metrics, as well as compare how their security programs measure against internal organizational goals, approved risk-management profiles, industry peers and best-practice companies.

The study is open until the end of February. A broad range of industries will be represented in the study. Information submitted by respondents will be held in the strictest confidence. All study results will be anonymous and will be shared only with participants.

Additional information about the CSP study can be found on the BRG website.

About Berkeley Research Group, LLC

Berkeley Research Group, LLC (www.thinkbrg.com) is a leading global strategic advisory and expert consulting firm that provides independent advice, data analytics, authoritative studies, expert testimony, investigations, and regulatory and dispute consulting to Fortune 500 corporations, financial institutions, government agencies, major law firms and regulatory bodies around the world. BRG experts and consultants combine intellectual rigor with practical, real-world experience and an in-depth understanding of industries and markets. Their expertise spans economics and finance, data analytics and statistics, and public policy in many of the major sectors of our economy, including healthcare, banking, information technology, energy, construction and real estate. BRG is headquartered in Emeryville, California, with offices across the United States and in Asia, Australia, Canada, Latin America and the United Kingdom.

About the Institute of Operational Risk

The stated mission of the Institute (www.ior-institute.org/) is to promote the development and discipline of Operational Risk and to foster and maintain investigations and research into the best means and methods of developing and applying the discipline and to encourage, increase, disseminate and promote knowledge, education and training and the exchange of information and ideas.

Protecting yourself: The secure connection

by Michael Champion, Berkeley Research Group mchampion@thinkbrg.com

I’d like you to ask yourself a few questions. How many times a day do you access a website? Now, for how many of those do you have to enter a password? For how many other websites does that user name and password work? And of those, how many times did you check that the website was secure? Continue reading Protecting yourself: The secure connection

Phishing for the Holidays

by Michael  Champion,  mchampion@thinkbrg.com

It’s holiday season once again. And once again countless shoppers will turn to online stores to avoid the holiday madness within stores—and for convenience. By shopping online we increase the time we are online searching for that perfect gift, confirming orders placed, going through social media making sure the recipient doesn’t already have the gift so carefully selected, and going frantic to make sure we didn’t skip anyone. This situation creates the perfect opportunity for one of the more common hacking techniques in use today: phishing. Continue reading Phishing for the Holidays