Cyber risk is everyone’s business
Read time : 3 mins Added: 10/02/2019
Technology is woven into every aspect of our lives from being able to control the heating in your home to managing your tax return. Simultaneously the threat and also impact of a successful cyber-attack have exponentially grown due to our increasing reliance on computer systems. Managing cyber risk is no longer an issue for the IT department in isolation, its potential to cause operational, reputational, financial, legal and regulatory impacts means it’s everyone’s business.
How does cyber-risk differ from other business risks?
Many people still plan for a cyber-attack in terms of traditional disaster planning. However, unlike when a natural disaster occurs which may affect just one location, a cyber-attack can instantly propagate through the network to compromise all systems and data including those found in disaster recovery sites. Additionally to cope with the financial impacts of a fire or flood a business will normally have insurance in place, yet only 14% of SMEs in the UK have cyber insurance1.
Often conventional protections against physical disasters like loss of power, don’t work in the case of a cyber-attack. With traditional disasters you are dealing with a passive adversary, the risk is better understood and the threat is not likely to deviate. However with cyber-attacks, you are frequently dealing with an active adversary. For example, if a hacker gains control of a network, the threat may change and escalate as the attack progresses and new risks not previously identified emerge. Many businesses’ crisis planning hasn't evolved to consider the dynamic nature of cyber, nor the financial response.
An attack on critical systems
There’s also a lack of awareness of how critical IT systems have become to business. Whether large or small, for example, most office telephone systems are computer based, so organisations need to consider how they would communicate with colleagues, customers or suppliers in the event of an attack. As we increase our dependence on digital infrastructures and the internet, the impact when something goes wrong becomes more dramatic and far-reaching. For example how would you pay your staff if you do not have access to salary details and payment systems? And how long would they stay loyal without remuneration?
A strategic imperative
Cyber-security is not just a risk to be considered, however. Business strategy needs to take into account the cyber-threat because your overall threat profile can be controlled and to an extent is determined by the type of business you run, your customers and supplier base.
Where should responsibility lie for cyber risk?
Accountability for taking the threat seriously, understanding the potential impact of an attack, and creating a response and recovery plan, lies with senior management or the Board. The challenge for businesses is that the issue of cyber risk is no longer confined to the IT department or the domain of the Chief Information Security Officer. As we have seen, the threat cyber-attacks pose span across an organisation, so responsibility to prepare, respond and recover from a cyber-attack sits at a departmental and individual level.
As well as operational and financial planning, businesses need organisational resilience, which filters down from the top of an organisation but sees different individuals sharing responsibility within their disciplines.
If you leave the cyber challenge solely with the Chief Information Security Officer, they won’t necessarily have the skills and knowledge to advise what needs to be implemented in other parts of the business. For example in the finance department how would you manage the impacts on your short term liquidity and access to cash? Does the business have appropriate financial plans in place to cope with a cyber-attack?
Whilst there may be one person on the Board with overall accountability, the challenge is to get the right skills and information to every part of the business so cyber considerations are woven into everyday operations. Planning on that basis demonstrates a clear understanding of the risk and puts you in a better position to manage it.
Important legal information
Lloyds Bank is a trading name of Lloyds Bank plc, Bank of Scotland plc, Lloyds Bank Corporate Markets plc and Lloyds Bank Corporate Markets Wertpapierhandelsbank GmbH.
Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Lloyds Bank Corporate Markets plc. Registered office 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 10399850. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278, 169628 and 763256 respectively.
Lloyds Bank Corporate Markets Wertpapierhandelsbank GmbH is a wholly-owned subsidiary of Lloyds Bank Corporate Markets plc. Lloyds Bank Corporate Markets Wertpapierhandelsbank GmbH has its registered office at Thurn-und-Taxis Platz 6, 60313 Frankfurt, Germany. The company is registered with the Amtsgericht Frankfurt am Main, HRB 111650. Lloyds Bank Corporate Markets Wertpapierhandelsbank GmbH is supervised by the Bundesanstalt für Finanzdienstleistungsaufsicht.
Eligible deposits with us are protected by the Financial Services Compensation Scheme (FSCS). We are covered by the Financial Ombudsman Service (FOS). Please note that due to FSCS and FOS eligibility criteria not all business customers will be covered.
While all reasonable care has been taken to ensure that the information provided is correct, no liability is accepted by Lloyds Bank for any loss or damage caused to any person relying on any statement or omission. This is for information only and should not be relied upon as offering advice for any set of circumstances. Specific advice should always be sought in each instance.