Amongst rising tension on the Ukrainian-Russian border and looming conflict, the FCA has sent a “Dear CEO” letter to banks warning them of the threat of Russian-sanctioned cyber-attacks. These attacks may be retaliatory if sanctions are levied against Russian entities and individuals.
Whilst this letter was aimed at the banking industry, the warning should be heard by in all sectors exposed to risk of a cyber-attack. It is unlikely that only banks will be targeted if the financial services sector comes under fire. The impact on EU payment systems or infrastructure could cause massive disruptions. There are already reports of cyber-attacks on the Ukrainian military and banking system. When viewed with a recent Financial Times article by Keith Andrews, former director of the US NSA, it is clear that whilst a previous Russian state sponsored cyber-attack “NotPetya”, may have targeted Ukrainian infrastructure, it caused massive operational disruptions across the globe (US, UK, France, Germany and India) to the estimated tune of $10 billion. Once the malware is out of the box, it could spread far beyond its intended targets. That is why companies should prepare for such eventualities.
The below, summarises actions companies should take before, during and after a cyber-attack.
Who could be targeted?
A cyber-attack could target or affect:
Likely targets include:
It is unlikely that only one sector or business will be targeted. The aim of a cyber-attack is to disrupt, and disruption comes in the form of chaos. The more widespread the attack, the more likely it is to achieve its aims. An attack will not discriminate and will spread through sectors and business quickly – complacency is not advisable.
Preparing for the worst
Companies may want to take these steps (if they have not done so already):
When these things have been done, it is worth carrying out ‘simulated attack and response’ training. This will test systems to see how the company will be able to deal with a cyber-attack. Any flaws that are picked up and addressed as a result of such simulations will strengthen the company’s defences.
It is also advisable that any third party or outsourced IT and cloud systems are contacted to ensure that they are playing their part to keep systems safe in light of this emerging risk.
In the event that personal data of individuals is stored on systems, these additional safeguards may help:
Response to an attack
If the worst happens and your company is the victim of a cyber-attack it is important to have a contingency plan in place. This may include:
Regulated financial services firms may also be required to give timely notice of an attack to the PRA and/or FCA under (for example) Principle 11 and the rules in SUP 15. This report should include details of the attack, the consequences of the attack (where known) and the steps being taken to remedy the situation.
If personal data has been compromised, this may require notifying the ICO of the incident. The ICO will expect a report if the breach is sufficiently serious and is likely to result in a significant impact to the data subject. As a result, the company should:
When providing details to affected individuals you need to inform them, in clear language, of the nature of the breach and what personal data was affected. You should also provide them with the details of the relevant contact point or the data protection officer’s (DPO) details.
It is recommended that you provide the individuals with information on how you will assist them going forward and any actions they can take to protect themselves. ICO guidance suggest that this may include:
If after a risk assessment, the company has decided that a notification to the ICO is not necessary, it is still highly advisable that the company record information about the breach and actions taken in response. If the ICO decides that an investigation is necessary, the company may be asked to justify the decisions it made.
Take home points