6 Things You Should Not Ignore Following the SRA’s Cybersecurity Thematic Review
In September 2020, the SRA published its review of 40 firms that had suffered cybersecurity breaches. The review makes for sober reading. It found that the results of an attack “were often catastrophic”. Lindsay Hill, CEO at Mitigo, highlights some key issues which emerge.
1. The importance of leadership
Cybersecurity and operational resilience is a serious business risk and a board-level responsibility. It requires an influential and visible leader to set the tone and put in place the right protections. The SRA found some senior figures in breached firms unable to answer even basic questions about cybersecurity. There should be a formalised approach to cyber risk management with proper record keeping. And it requires ongoing expenditure – most of the firms breached had failed to allocate a specific annual cybersecurity budget.
2. Make yourselves aware of the cyber risks facing your firm
The criminal ecosystem is sophisticated and methods of attack constantly evolve, as the bad guys look for new victims and weaknesses in defences. Off the shelf attack tools are now readily available on the dark web. The SRA found common attacks included email modification and account takeover, ransomware and spyware. Remote working and increased use of technology, including cloud-based systems, have opened up many more vulnerabilities to be exploited by attackers. You must not fool yourselves into thinking it will not happen to your firm. Do you really understand how ransomware can get onto your system and the consequences for you and your clients? How would you detect you had suffered an email account takeover, or that spyware had been installed? Unless you take steps properly to understand these threats and the way in which breaches occur, you cannot begin to put in place the right defences or reassure your partners that the firm is safe from attack.
3. Don’t underestimate the impact a cyber breach will have
The loss of money (whether yours or your clients) and data is only one aspect of a successful cyberattack. The SRA found that firms experienced an impact on their operational capabilities and other financial implications. This included significant loss of management and fee earner time (one firm lost £150,000 worth of billable hours), damage to client relationships, increase in insurance costs, lost access to systems, stress, and more. Separate research indicated that last year, the average ransom payment had risen to £138,000. We know from our emergency recovery work just how frightening and disruptive a cyber breach can be.
4. Recognise the importance of people and governance in security
It almost goes without saying that a key aspect of security includes technical configuration and regular vulnerability scanning. But the SRA highlighted that effective cybersecurity is not just a technology issue or about having the best security software in place. The biggest vulnerability (and potentially the best defence) lies in the day to day practices and awareness of people, since most attacks target people. Many breached firms had failed to provide proper cyber awareness training, lacked training records, and had inadequate policies and controls in place. So it is unsurprising that they suffered the consequences.
5. Do not confuse cybersecurity with IT support
The SRA considered that aspects of cybersecurity are complex and technical, yet found that ¾ of breached firms had been relying upon their IT support for cybersecurity. Cybersecurity is a professional discipline that is distinct from IT support. The SRA warned against reliance on third-party IT providers to provide security. And reinforced the need regularly to review and maintain policies, processes and systems, where possible by someone independent.
6. Be mindful of your legal and regulatory obligations
Finally, the SRA issued a reminder that cyber and data security is not an optional luxury. Firms have regulatory obligations under the Code of Conduct and Accounts Rules to protect client funds and data, to run their practices in accordance with proper governance and risk management principles, and report incidents. They also have overlapping statutory obligations under data protection legislation to protect the personal data of their clients and their own staff. These requirements include documented risk assessments, identification of technical vulnerabilities, regular relevant cyber awareness training, appropriate policies and procedures, all reviewed on an ongoing basis, and documented to prove compliance.
More and more firms are taking the right steps to stay protected. It will be the firms that lag behind that become the low hanging fruit for cybercriminals.