Amongst rising tension on the Ukrainian-Russian border and looming conflict, the FCA has sent a “Dear CEO” letter to banks warning them of the threat of Russian-sanctioned cyber-attacks. These attacks may be retaliatory if sanctions are levied against Russian entities and individuals.
Whilst this letter was aimed at the banking industry, the warning should be heard by in all sectors exposed to risk of a cyber-attack. It is unlikely that only banks will be targeted if the financial services sector comes under fire. The impact on EU payment systems or infrastructure could cause massive disruptions. There are already reports of cyber-attacks on the Ukrainian military and banking system. When viewed with a recent Financial Times article by Keith Andrews, former director of the US NSA, it is clear that whilst a previous Russian state sponsored cyber-attack “NotPetya”, may have targeted Ukrainian infrastructure, it caused massive operational disruptions across the globe (US, UK, France, Germany and India) to the estimated tune of $10 billion. Once the malware is out of the box, it could spread far beyond its intended targets. That is why companies should prepare for such eventualities.
The below, summarises actions companies should take before, during and after a cyber-attack.
Who could be targeted?
A cyber-attack could target or affect:
- Communications companies
- Financial services businesses
- Government agencies
- The healthcare sector
- Manufacturing
- Energy
- Transport
Likely targets include:
- Payment providers
- Machinery connected to the internet
- Cloud services
- Third party service providers
It is unlikely that only one sector or business will be targeted. The aim of a cyber-attack is to disrupt, and disruption comes in the form of chaos. The more widespread the attack, the more likely it is to achieve its aims. An attack will not discriminate and will spread through sectors and business quickly – complacency is not advisable.
Preparing for the worst
Companies may want to take these steps (if they have not done so already):
- Ensure latest cyber-security software is installed and systems are up to date
- Encrypt sensitive files and make sure independent back-ups exist
- Maintain high standards of cyber-security protocols in the business – identity and access management, network authorisation etc.
- Carry out training for employees – how should they respond if they suspect an attack and how can they ensure they minimise human error that might permit or enable an attack?
- Segregate systems – in the event of an attack, only siloed systems may be affected.
When these things have been done, it is worth carrying out ‘simulated attack and response’ training. This will test systems to see how the company will be able to deal with a cyber-attack. Any flaws that are picked up and addressed as a result of such simulations will strengthen the company’s defences.
It is also advisable that any third party or outsourced IT and cloud systems are contacted to ensure that they are playing their part to keep systems safe in light of this emerging risk.
In the event that personal data of individuals is stored on systems, these additional safeguards may help:
- Do not store sensitive data in clear text – pseudonymise or encrypt it
- Don’t hold onto incomplete or old data, whilst it may not be relevant to your business, it can expose the data subjects to malicious actions from attackers
- Ensure that access to data is limited wherever possible.
Response to an attack
If the worst happens and your company is the victim of a cyber-attack it is important to have a contingency plan in place. This may include:
- Convening an incident response team
- Following cyber-attack protocols including investigation, containment and remediation such as activating business continuity measures
- Ensuring reporting processes are followed
- Carrying out system scans to determine the extent of the attack
- Protecting parts of the network that have not been infiltrated
- Reporting the attack to the relevant government body. In the UK this may be NCSC-UK or Action Fraud.
Regulated financial services firms may also be required to give timely notice of an attack to the PRA and/or FCA under (for example) Principle 11 and the rules in SUP 15. This report should include details of the attack, the consequences of the attack (where known) and the steps being taken to remedy the situation.
If personal data has been compromised, this may require notifying the ICO of the incident. The ICO will expect a report if the breach is sufficiently serious and is likely to result in a significant impact to the data subject. As a result, the company should:
- Carry out a data breach risk assessment – is there a risk that data subjects will be seriously affected by the breach?
- Inform individuals who have been affected by a high-risk data breach without delay
- Inform the regulator as soon as practically possible and in any event within 72 hours.
When providing details to affected individuals you need to inform them, in clear language, of the nature of the breach and what personal data was affected. You should also provide them with the details of the relevant contact point or the data protection officer’s (DPO) details.
It is recommended that you provide the individuals with information on how you will assist them going forward and any actions they can take to protect themselves. ICO guidance suggest that this may include:
- forcing a password reset
- advising individuals to use strong, unique passwords
- telling them to look out for phishing emails or fraudulent activity on their accounts.
If after a risk assessment, the company has decided that a notification to the ICO is not necessary, it is still highly advisable that the company record information about the breach and actions taken in response. If the ICO decides that an investigation is necessary, the company may be asked to justify the decisions it made.
Take home points
- Review current cyber-security software – it must be up to date
- Ensure that adequate cyber-security systems are in place
- Carry out regular training both with employees and in response to simulated attacks
- Ensure that a contingency plan is implemented and, in the event of an attack, followed
- Comply with regulatory requirements if an attack (or an attempted attack) occurs
Authors
Follow us online
