The technology of the early 1990's which has reshaped our society and changed the way we conduct business has also become a platform for sophisticated cyber criminals. Remote working has increased dramatically. Cyber risk is different. Preventing and addressing cyber attacks requires preparation.
Technology and the rise of cybercrime
The introduction of the internet and its rapid rise in the 1990's and 2000's not only changed our society but fundamentally changed how both small and large businesses operate. Technology has increased and brought us closer to larger markets. Criminals have also found their place in this ecosystem. The criminal justice system and law enforcement were not designed to address this type of crime. It is only three decades later that frameworks and resources are being put in place to effectively counter cyber criminals. Companies are beginning to address cybercrime as a serious threat.
We are now well aware of its destructive potential and are coming to accept the permanent nature of cybercrime. Historically, victims included banks, national parliaments, and large manufacturing conglomerates. Cyber criminals have various motives for the growing number of attacks: financial gain, political manipulation, and financing criminal activity. The Luxembourg government prepared its latest version of the National Cybersecurity Strategy in 2018. The threat is not theoretical. At the end of 2020, a large Luxembourg PSF (professional of the financial sector) was hit by hackers, causing significant disruption. It was not an isolated incident.
For Luxembourg's financial sector, the cyber threat is continuously present.
From a regulatory perspective there is no shortage of guidance identifying cyber criminality as a risk. The European Banking Authority and the European Central Bank have identified IT and cyber risks as serious threats especially given the outsourced nature of most of these functions in the financial services industry. The Luxembourg CSSF recently updated its guidance on, among other things, risk management in its Circular 12/552, which sets out the minimum requirements for oversight for much of the industry. There is a particular focus on the position of risk management within regulated entities, the proper identification and management of IT risk, and appropriate oversight by - and training for - members of the board of directors.
Deter cyber criminals - adopt a proactive strategy
It is ultimately the individual members of the board of directors who are responsible for managing IT risk and warding off cyber attacks. It is likely because of the experience and expertise of these senior leaders that most Luxembourg entities were able to respond effectively to the pandemic, switching to remote processes and operations with relative ease. For many, it meant refreshing a stagnant online presence with customers or committing to a final round of funding for a long-awaited IT upgrade. Those who recognised this need early in the crisis succeeded in maintaining operational resilience and business continuity. Many others will have discovered the extent to which they have outsourced IT or rely on critical functions within their group.
These skills should not be confused with the expertise and training required to assess and defend against cyber risks.
There is an urgent need for financial institutions to re-visit the skill set of board members. Relying on one board member with an IT background is insufficient.
Key questions to consider include:
- what is the cost of an external risk assessment versus one cyber incident?
- what has my board done to effectively demonstrate it is on top of this issue?
- am I at least equally conversant about IT and cyber risk as I am with strategy, operations, and HR?
It is likely that most firms do not have adequate answers to some of these questions. A common mistake is to assume that the operational agility we witnessed over the past year to move to remote working automatically translates an ability to defeat cyber criminals. These are not the same threats. Although many experienced leaders gained new skills, knowledge, and confidence with technology in the past year, that is no substitute for correctly identifying, measuring, and protecting against cyber threats.
Organizations which invest now in training, systems, and external assessments are those which will stand a chance when faced with a cyber attack.
It must be recognised at board level that creating a culture of risk awareness, developing skills, testing capacity, and having the right leadership to respond is a long-term play.
Facing cybercrime - establish a disaster response plan
Firms need to consider what they can do to limit the damage once a cyber attack or a cyber breach has taken place. Two important measures include having in place a clear disaster response plan and a cyber insurance policy which is tailored to the specific needs of the business, providing comprehensive cover for specific cyber risk and related losses.
The disaster response plan should be tailored to the main threats posed to each business unit and set out clearly what should be done in the event of a cyber attack. The plan should be regularly updated, which means including the most basic tasks, such as ensuring contact details are up to date. IT specialists are required to tackle the technical side of cyber defence. However, in order for a firm to have a strong defence and disaster response plan in place, this issue must be considered at board level where there is a full understanding of the business and appreciation of the impact a cyber attack could have.
When a cyber attacks occurs, the victim needs to react extremely quickly and engage a cybersecurity expert to investigate the incident. Legal advice is also needed on an urgent basis. Lawyers are active in some of the first critical steps, including providing assistance with filing a complaint with the Public Prosecutor, specialised police units and the Financial Intelligence Unit, as well as managing the communication and cooperation with these public authorities. Legal assistance is also usually required to ensure communication with banks is efficient to maximise the chances of recover stolen funds.
In many cases, an IT system has been fraudulently hacked and a fraudster has made a bank transfer order. It is possible to cancel the order if the bank is contacted in a timely manner. In addition, the prosecuting authorities are able to re-trace bank transfers and obtain freezing orders of accounts through cooperation with foreign authorities.
The more quickly action is taken, the more successful the efforts are.
This works to block funds before they can be wired to further bank accounts globally. A rapid, well-organised, and coordinated reaction to a cyber attack is essential to maximise the chances of recovering fraudulently misappropriated funds.
In the context of the General Data Protection Regulation (GDPR), legal advice is also needed for possible reporting to the Commission nationale pour la protection des données (the Data Protection Authority) to the extent there has been a personal data breach within a cyber attack.
It is indisputable that cybercrime has become more prevalent and more damaging to businesses of all sizes. It is essential that every business take all preventive measures to protect itself and to have in place a response plan (which has been rehearsed) which is ready to be executed as soon as an attack has taken place. By adopting these strategies, companies are best positioned to respond quickly and minimise potential financial and reputational damage.
Interested? Stay tuned for the next article of the series produced in exclusive partnership with Luxembourg Times.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.