For many of us, the term ‘cyber’ suggests hackers, firewalls or malware. Not without reason; after all, we are confronted day in, day out, with password protection, spam emails and anti-virus software. We rely on external support for most of these issues. This applies as much to private individuals as it does to many companies in the financial sector. Cyber risks are therefore often understood to be technical risks with a focus on protecting IT systems. However, in addition to technology-related risks, they also entail the danger of violation of legally protected privacy rights (e.g. data leaks), non-compliance with regulatory requirements, asset loss and, under certain circumstances, huge reputational damage to the companies concerned. Cyber risks are therefore generally classified as operational risks and addressed accordingly by FINMA in Circular 2008/21, for example.
Cyber risks in 2020
A glance at developments in cybercrime shows that cyber attacks have multiplied since February 2020. It is also apparent that modern cybercriminals not only attack systems, but increasingly have company employees in their sights. By deceiving employees, hackers can circumvent the most complex technical safeguards and divert, manipulate or delete data. At the same time, trends that have experienced recent growth – working from home and ‘bring your own device’, as well as operational restrictions caused by business continuity measures – make it difficult for companies to identify, monitor and respond to cyber activities.
Like many others in recent months, you may have found yourself conducting part of your business communication using WhatsApp, iMessage, text messages, free video conferencing solutions and even messages on LinkedIn or Xing. While employees are increasingly using these media, particularly when working from home and often with the noble intention of greater efficiency, this trend means that information is being knowingly or unknowingly transferred to communication channels beyond companies’ monitoring capabilities and stored there – where it can be accessed much more easily by cybercriminals. Depending on how the information is classified, this also allows the circumvention of established security mechanisms such as encryption or blocking of messages in attempts to send bank customer data.
Dealing with cyber risks
The example of communication channels shows that this period of decentralised working has produced more than just new cyber risks. Above all, companies are facing new attack vectors, meaning potential points of attack by cybercriminals, which increase the risks we already know about. Dealing with these risks has long required not just technical systems solutions, but also a high level of discipline and diligence on the part of every employee. Effective solutions and measures therefore need to link up with another prominent issue in the financial sector – business conduct.
For managers, this trend represents an additional challenge for implementing and monitoring measures: companies are increasingly judged on their ‘cyber resilience’ – an overarching term derived from the familiar concept of ‘business resilience’. Achieving and maintaining a high level of cyber resilience requires structures and skills for assessing and addressing cyber risks on an interdisciplinary basis. This includes every company having a mature cyber strategy and a reporting system that is tailored to its recipients.
And there is also a positive effect: in an increasingly digitalised environment, a sound strategy and a high level of cyber resilience can lend a real competitive edge.