Cyber attacks – 'when’ not ‘if’
Cyber security has always been, and continues to be, an important subject. It is not a question of ‘if’ but ‘when’ a cyber-attack will affect you. In DCMS’ 2021 Cyber Security Breaches Survey the scale of the issue is apparent; four in ten businesses (39%) reported having cyber security breaches or attacks in the last 12 months. The Information Commissioner’s Office recorded 8,815 data security incidents during 2020/21.
The regulators have a keen focus on ensuring firms build their operational and cyber resilience by testing extreme but plausible scenarios in order to prevent harm to consumers. A ransomware attack would certainly constitute an ‘extreme but plausible scenario’ – how prepared are you?
Helping firms build their collective cyber resilience is a high priority for the Investment Association (IA). This includes not only ensuring firms are focused on preventing cyber incidents, but also that they are prepared to effectively respond when cyber incidents do occur.
In this vein, we are pleased to publish our Cyber Incident Response Plan guidance. This has been informed by our Cyber Resilience Committee members, who as industry practitioners, were able to share their knowledge and expertise on the topic. It also pulls together existing guidance to offer a series of considerations for firms to use when producing their own cyber incident response plans.
The pandemic and large-scale shift to home working created new opportunities for cyber criminals to exploit, particularly as the associated uncertainty related to Covid-19 measures left many more susceptible to fraud and scams.
As hybrid working looks set to stay, it is more important than ever that firms review their current IT policies and ensure effective cyber hygiene is in place. Part of this review should include refreshing cyber incident response procedures, testing these plans regularly and focusing on acting on any lessons learned. Our Cyber Incident Response Plan guidance addresses the documents that should be readily accessible when an incident occurs, how to determine a proportionate incident response dependent on the severity of the incident, assigning roles and responsibilities and determining communication strategies, amongst other areas.
Whilst it may be a regulatory area of interest, more than anything it is a business imperative to focus on cyber resilience.
We hope you find our latest guidance useful, and we would like to thank our Cyber Resilience Committee in particular for sharing their insights. For more information on the work of the IA and the Cyber Resilience Committee please see our dedicated expert page for our latest activity.