The recent data theft in Singapore, where hackers stole information on 1.5 million patients during an attack on public health-care group SingHealth, has placed cyber security in the spotlight at financial institutions. The MAS (Monetary Authority of Singapore) asked financial institutions to boost customer verification measures, also directing them to conduct a risk assessment of the impact of the SingHealth incident on existing controls for financial services offered to customers.
Just weeks later, hackers managed to steal the non-financial data of over 120,000 customers from two banks in Thailand, the first such data leak in the country’s banking sector. Meanwhile, Hong Kong’s Department of Health has just suffered a cyberattack whereby data was rendered inaccessible by ransomware, although no actual data was leaked in the incident.
Reports of such cyber threats, now appearing to occur with increasing frequency, are causing financial firms in particular to renew their focus on securing internal systems to root out vulnerabilities that could lead to similar breaches. According to a recent report by global advisory, broking and solutions firm Willis Towers Watson, a full one-third of companies surveyed have suffered at least one serious cyber incident in the past year.
The first line of defence
But the majority of cyber security incidents are non-hacking related and are in fact attributable to employees, says Jessica Wright, Willis Towers Watson’s Cyber Insurance Leader for the Asia region. According to data from the firm’s insurance broking business, about two-thirds of all cyber insurance claims arise from privacy breaches caused by employees, whether such information is released due to negligence or with malicious intent.
“We try to approach cyber risk not just from an insurance perspective, but by also looking at how employees and people generally respond to cyber risk as the first line of defence,” says Wright. The financial services sector was in fact the first industry to seek out cyber insurance, she notes, demonstrating how important the risk is to financial institutions. Indeed, according to Willis Towers Watson’s claims data, the financial services sector accounts for 12% of cyber incidents globally, behind only healthcare (22%) and retail (15%).
“The majority of claims are outside of traditional hacking and malware events that we see widely publicised in the market,” said Wright. “Most claims are the result of negligence, such as accidentally sending information to the wrong people or leaving confidential documents in the wrong place.”
Prevention through awareness
Given the recent trend towards an increase in privacy legislation, most notably with the EU’s GDPR (General Data Protection Regulation) which can fine firms up to EUR 20 million, one would assume such high potential fines would serve to incentivise firms to focus efforts on mitigating cyber risk.
But in Asia, fines are not a huge concern and they are not necessarily effective in combating cyber risk, says Wright. In Singapore, for example, data privacy regulations can impose fines up to SGD 1 million. But over the last two years, Singapore’s Personal Data Protection Commission has fined 22 organisations a total of just SGD 216,500 (USD 158,000) for security breaches that exposed personal data.
“Generally, cyber awareness is much higher in Western regions such as the UK, Europe and the US than what we see in Asia, so what is needed most is awareness and education,” says Wright. “Companies and their staff need to be aware of the need to protect customer information at all times, and in particular, of the reputational and business interruption risks that may arise due to cyber incidents.”
Wright notes that Singapore’s new Cybersecurity Act was expected to come into force this year to strengthen the protection of critical information infrastructure – which includes the banking and finance sectors – against cyberattacks. The Act will require audits at least once every two years and risk assessments once a year, among other requirements, but current expectations are that the new rules may not take effect until Q1 2019.
“But most financial institutions already have the IT portion of their cyber risk strategy in place,” said Wright, noting that Willis Towers Watson clients have been investing heavily in this area. “We want to encourage financial institutions to look more closely at how to engrain cyber risk awareness within the culture of the organisation.”
According to Wright, not having employees aware and engaged presents risks to companies and their customers. As such, training programmes are crucial to make sure staff know who is authorised to access data, how to handle sensitive information and how to identify suspicious emails and links. “Employees need to know and believe that cyber risk is their responsibility and the responsibility of their organisation.”
Knowing what to do
“But cyber incidents are never going to be fully eliminated,” says Wright. “So bringing incident response and business continuity planning to the forefront is key to being prepared for a cyber incident.” Firms need to know how to manage a cyber event, if it occurs, including who is responsible for managing the fallout, how to continue business operations, which external experts need to be called in, and what other parties need to be notified and by when.
Notably, Willis Towers Watson found in its survey that there is little consensus among boards and executives on cyber resiliency planning, including the deployment of strategies across the organisation, where to allocate funds, and what areas of the organisation are most at risk. The study was conducted in conjunction with the Economist Intelligence Unit, surveying over 450 companies around the world about their strategies and the challenges they face in building cyber resilient organisations.
In the aftermath of last year’s infamous Equifax breach, part of the outcry concerned its failure to notify the public in time, as there was confusion about how the breach should have been managed and not enough emphasis was placed on the affected customers. Following the incident, US regulators were particularly interested in how several top Equifax executives were able to sell their shares before the company finally announced the breach to the public on 7 September – over a month after it was detected.
“It’s about knowing what to do in the event of a breach and how to escalate the matter, and this requires staff training and education,” Wright added. “Many training programmes simply require staff to complete a set of ten questions once a year. This is not enough to make sure employees are engaged and aware of cyber risks.”
A culture of risk prevention
By assessing cybersecurity culture, companies are able to identify vulnerabilities and create awareness to drive action and reduce insider risk, without impeding growth and profitability. Willis Towers Watson uses a Cyber Risk Culture survey to help organisations create a culture of risk prevention. This combines employee opinion surveys and cyber risk management assessments.
“Our Cyber Risk Culture Survey measures employee attitudes and behaviours to ensure companies are taking the appropriate actions to mitigate risk before an incident occurs,” says Wright. “Happy, engaged and empowered employees will fundamentally reduce cyber risk and increase resiliency.”
Staff engagement is becoming key in Asia due to reports of several cyber incidents including the hacking of Hong Kong travel agencies last year and telecommunications company HKBN in April. According to Wright, as more breaches are publicised it brings cyber risk to the forefront.
“Our focus is on ensuring that financial firms and their staff are aware and engaged so that we can address cyber risk from a company-wide perspective, covering people, processes and technological aspects,” she adds.
Interviewed for this article was Jessica Wright, Regional Associate Director, Cyber at advisory, broking and solutions firm Willis Towers Watson.