A joint report published by the government and the National Cyber Security Centre this week revealed the fact that only 16% of boards of FTSE 350 firms claim to fully understand the impact of loss or disruption associated with cyber threats, despite 96% having a cyber security strategy in place.
While this report looked at the positions at listed firms generally, not solely those in the financial sector, it is illustrative of the challenges faced by the senior management of financial services firms.
Cyber resilience remains high on the agendas of regulators (JFSC/GFSC [& FCA and PRA), and these regulators are likely to become increasingly frustrated with firms which have not yet grasped the significance of the issue and put mitigation plans in place appropriately.
It is important that firms understand the risks that they are trying to protect against and educating senior management is time well spent. Taking the time to identify and acknowledge a knowledge gap is likely to be much more productive than muddling along in a state of confusion or ignorance. This will help a true appreciation of the risks involved.
Once the potential consequences of getting the response wrong are understood, the goal should be to move cyber security from an IT issue to a firm-wide one. After all, the regulators have each stressed that cyber is not just a technology risk (although it certainly is), but also a human risk.
According to the report cited above, the principle human risk may still be lack of understanding at the top of the true scale and nature of the risks faced. Boards of financial services firms should ensure that doesn’t apply to them as their first priority.