lolloj - Fotolia

Report urges government tax breaks for cyber security investment

A report on improving cyber security in the financial industry makes several recommendations – including targeted tax breaks to stimulate investment

The financial and related services industry should make the case to offset cyber security budgets against tax, to catalyse cyber security investment, according to a report.

The Cyber and the City report, by financial industry association TheCityUK and global insurance broker and risk firm Marsh, makes several other recommendations on reducing cyber risk.

These include establishing an industry-wide cyber forum to complement existing bodies and initiatives; encouraging information and best-practice sharing; encouraging support for the UK cyber security sector; and encouraging cyber hygiene standards in lending, underwriting and investment decisions, to promote cyber security in the wider economy.

The report recommends using the cyber forum to promote collaboration across all firms in the financial and related professional services industry.

The forum would seek broader and committed support for cyber management and the many existing initiatives that are running, the report said. Its agenda would include encouraging information and best-practice sharing, working on cyber risk aggregation and system recovery and helping to develop a strong UK cyber security sector.

The report recommends the financial industry investigate cyber risk aggregation in the financial system, vulnerabilities to widespread attack and recovery from them.

Read more about cyber crime

Bank cyber crime campaign

Publication of the report coincides with a statement from the chair of the US Securities and Exchange Commission (SEC), that security is the biggest risk facing the financial system.

The statement, by Mary Jo White, is one of the frankest assessments yet of the threat to Wall Street from digital attacks, according to Reuters.

White’s statement comes just days after global financial messaging organisation Swift warned of a highly adaptive cyber criminal campaign targeting banks with stolen user credentials to submit transfer requests.

Swift issued the warning along with news that another bank has been targeted by cyber criminals, in a similar way that led to the theft of $81m from the Bangladesh central bank’s account at the Federal Reserve Bank of New York in February 2016.

In the face of the growing cyber threat, the report by TheCityUK and Marsh called for greater cyber security collaboration among financial sector firms.

Organisations in the sector need to take urgent action on cyber risk, the report said, highlighting the fact that most of the 2.5 million cyber crimes reported in the UK last year were various forms of fraud – with the loss typically borne by the financial sector.

Reputation a shared asset in finance

City firms have the data, money and profile to attract the full range of attackers – including those seeking to undermine the financial system, the report said.

According to the report, reputation and reliability are shared assets and firms should work collectively to reinforce the financial system’s resilience, protecting services critical to the UK economy and ensuring that the UK remains a secure global financial centre.

According to the report, while larger institutions are engaged on cyber security, there is an opportunity for the industry and individual firms to enhance cyber security and resiliency after cyber breaches.

Survey evidence from Marsh supports the fact that too few firms are tackling cyber in a cohesive way – with only 30% of large firms having it as a top ten risk, only 39% having quantified the risk and just 30% having a breach response plan.

Board responsibilty for cyber security

The report recommends that boards should hold management responsible for cyber risks – instead of their IT departments – and provides ten simple questions that management should consider.

The report said that – considering that 95% of all cyber incidents involve human error – people and processes matter as much as technology when it comes to managing cyber threats.

Other recommendations for individual firms include making cyber a standing item on the board or risk committee agenda; ensuring cyber risk is a part of strategy, investment cases, acquisition and appraisals; having a broad-based team inputting to how cyber risk is managed; and monitoring cyber readiness.

Chris Cummings, chief executive, TheCityUK, said that, while there is no silver-bullet to manage the cyber threat, there are practical steps the industry and firms can take to ensure they are well protected against attack.

“Cyber hygiene should be as commonplace as locking the windows and doors when you leave the house. It is essential for the industry and the continued attractiveness of the UK as a safe place to do business that we tackle this issue head-on and make the UK a centre of excellence for cyber security,” he said.

'Knowledge is power'

Mark Weil, CEO, Marsh UK & Ireland, said financial services are a high-value target for cyber crime, given their importance to the economy.

“In the end, most firms are going to need to spend money on cyber defences. That’s going to make for difficult choices on how much and in what they invest. Cyber insurance is an important element of preparedness as it marks to market the nature and size of threats firms face and the best use of their money in defending against them,” he said.

Commenting on the report, Andy Buchanan, UK and Ireland vice-president for security firm RES, said that, while the fact that the financial services sector is a prime target for cyber crime is not a revelation, the report is different for its suggestion of tax breaks to fund the strengthening of the industry's cyber defences. 

“Perhaps this should be considered across other key sectors, what the government does for one, it must surely do for another,” he said.

However, Buchanan said the real opportunity comes from the establishment of the proposed cyber forum. “For too long there has been a lack of knowledge sharing across all industries, including financial services.

“As the saying goes, knowledge is power. By sharing information banks would have better, smarter intelligence into how to shore up their defences and innovate accordingly in the face of a determined, highly adaptive and sophisticated opponent.”

Read more on Hackers and cybercrime prevention