Posted by Bharti Moore, Senior Associate
The future of financial services: Cybersecurity and fraud issues
UK Finance has just published its 2020 Half Year Fraud report, which revealed that in the first half of the year, a total of £207.8 million was lost to authorised push payment (APP) fraud.
You can find the report here. It is not only customer funds that are at stake. Banks and financial institutions are also a juicy target for cyber-attack, fraud, data theft and data breach.
As the Covid-19 pandemic has forced organisations and individuals to embrace new practices and technology, exposure to cyber threats is significantly increasing. We have seen over the past few months a surge in the use of technology in the financial services sector with increased demand for open banking and collaboration with Fintech businesses. As technology will continue to play an essential part in the sector, it is essential to strike a critical balance between security and privacy, cost and convenience.
This week the Chancellor Rishi Sunak set out his ambitions for the future of UK financial services post-Brexit. “Our plans will ensure the UK moves forward as an open, attractive and well-regulated market, and continues to lead the world in pioneering new technologies and shifting finance towards a net zero future”. One of the key areas of growth under his plan is the role of technology in particular Fintech.
Bob Wigley, Executive Chair of UK Finance said in a separate statement in response, that making the UK financial system the safest and most transparent place in the world to conduct business is vital for the UK’s future global success.
Cyber criminals around the world have been active across the financial services sector, not just affecting firms themselves but also their customers and/or clients. It is therefore essential that firms assess their cybersecurity risks. It is not simply an operational exercise. Directors and senior management teams should also consider their legal obligations. Boards should comply with their fiduciary duty to act in good faith and in the best interests of the firm. This would include a duty to protect their systems and assets, prevent any fraud or cyberattacks, mitigate any risks, and take actions to respond and recovery quickly and efficiently.
The war against cyber criminals and fraudsters will always be an ongoing arms race for the financial services sector, and so it is critical that they stay ahead of the curve.
Bharti Moore, Senior Associate in Royds Withy King’s Financial Services team, suggests the following practical steps that businesses can consider to mitigate these risks.
- Discuss matters relating to cybersecurity and fraud regularly at board meetings. It is not simply an IT issue and boards need to understand the impact on their systems, assets, clients and the wider business.
- Put good governance in place to embed a security culture which ensures cyber is treated as a firm-wide issue.
- Check the business’ insurance covers cybercrime and data protection related issues.
- Ensure networks, systems and softwares are kept up to data and fully protected Review cybersecurity arrangements, ensure that policies and procedures have been strengthened to address the heightened risk created with employees working from home, supply chain disruptions and new customers.
- Ensure robust policies and procedures are put in place to ensure new customers, suppliers and technology tools and apps are vetted and approved.
- Continue to monitor and identify any vulnerabilities, weaknesses or flaws that might be exploited through good detection systems.
- Develop and maintain a strong testing regime to embed a culture for continuous improvement as issues are discovered and fixed. Test plausible scenarios tailored to your business and keep audits and logs of any testing and any breaches.
Respond and recover
- Incidents will occur but the ability to respond and recover from them will be a key part of your risk management and operational resilience planning. Review and update incident response plans and keep a detailed record of any breaches.
- Ensure that you comply with your regulatory and legal obligations and if required report incidents to the appropriate regulators.
- Ensure that staff are regularly trained to deal with and identify issues and report them promptly. Consider running workshops with executives and staff to increase cyber knowledge, by using case studies and incidents reported in the media.
- Adopt a learning rather than a blame culture.
- Review your supervision policy, in particular with increased remote working.
- Educate and provide your customers and clients with guidance and best practices to help them avoid being victims of fraud. Ensure that customers and/or clients do not inadvertently give away their own data. The key here is to be proactive and vocal, to give customers as little opportunity as possible for confusion.
This is only an outline of the issues and points that may need to be considered. How relevant each of the items will be to a particular business will depend on the nature, size, scale and complexity of the relevant organisation.
If directors, senior management or in-house lawyers want to discuss any of the issues above in more detail, please do get in touch. Our Financial Services lawyers are very happy to talk these through with you.
0800 923 2073 Email us
Our Financial Services lawyers understand your sector and are on hand to help.