Financial institutions must cooperate to mitigate the risk of cyber attacks

We are pleased to be an associate partner of the latest Raconteur report for The Times on Fraud and Financial Crime.

In 2023, instability, recession and volatility are the perfect backdrop for criminals who are better funded, more technologically savvy, and more agile than they've ever been before. This report from Raconteur provides engaging content on this topic to support implementing an effective fraud prevention strategy.

Read the article featured in the report on cyber risk and our ORX Cyber service, where Roland Kennett, ORX Membership Director, argues financial firms need to take a consistent approach and work together to mitigate the risk of cyber attacks below. The full report is available on the Raconteur website.

‘The need for a consistent approach to cyber has never been greater’

Financial institutions must get better at cooperating – both internally and externally – to mitigate the risk of cyber attacks, argues ORX’s Roland Kennett

If you look at any survey of financial institutions, you’ll find that cybersecurity will generally feature at the very top of the list of material and emerging risks they’re most concerned about. In our highly digitised world, that shouldn’t come as a great surprise. In fact, it has been the case for a very long time.

Cyber incidents are defined by the UK’s National Cyber Security Centre as “a breach of a system’s security policy in order to affect its integrity or availability, and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990)”. They happen with an incredibly high degree of regularity. Perhaps the most eye-catching recent incident was the prolonged attack on Costa Rica by cybercrime group Conti.

So why, given all of this, do banks and insurers still struggle to quantify their exposure to cyber risk?

Part of the issue is organisational. There is a difference between the technical teams that ensure an organisation is properly protected and the risk professionals who work to calculate its exposure. The data sets that are needed for both activities tend to be different, even though they share a common basis. Most focus has – correctly – been on prevention, but the consequence is that it is very hard to pull together the data needed by risk professionals for calculating exposure.

What’s more, the frameworks (language, system and process) that have arisen on either side are not aligned, which has led to a siloed approach. Many systems have been developed, several of which have different attributes. The terminology varies and information can often be contradictory too. This means that different stakeholders find it hard to gain a common understanding, while those trying to measure exposure often face the time-consuming task of scouring numerous sources of data for something usable.

If sharing consistent data is a challenge internally, this is increased tenfold when it comes to sharing across the industry. But the need for a consistent approach has never been greater. Cybercriminals are continually seeking new ways to achieve their ends. They know they have to get it right only once to win, while organisations have to get it right all the time to stay protected. That makes it hard for firms to stay ahead of the threats.

We have a risk management conundrum: here is a risk, which everyone is talking about, that’s being heavily invested in, yet there is little data to justify that investment. How can it be resolved? Internally, companies must continue with their work to standardise terminology and systems so that all functions are receiving the information they need. Externally, we must continue developing industry resources that enable firms to benchmark themselves against their peers.

Part of the solution lies in data sharing. In 2020, ORX created ORX Cyber – a service where more than 25 financial services firms from around the world swap data concerning cyber losses, controls and indicators. This exchange has two main benefits. First, participants can start to see how their experience of cyber risk events compares against the aggregate peer-group data. But second, and perhaps more crucially at this stage, it’s also meant that they have had to start sourcing data from within. This in turn is forcing them to hold internal discussions about what material is needed and why.

Data sharing is only one aspect of the solution, though. In our experience over the past 20 years, collaboration has emerged as the best defence against cyber threats. Bringing experts together to share their expertise and knowledge can help financial institutions to make rapid progress together, rather than as individuals. This ‘wisdom of crowds’ approach to tackling big issues can make all the difference. The threat of cyber incidents will undoubtedly remain at the top of our risk lists. But the more we collect better data and collaborate, the more we can start to quantify it – and then justify the investment decisions we are making.