After a welcoming address from Giulia Lupato – PIMFA’s Senior Policy Adviser and Chair for the day – the 2018 financial crime conference began with an address from Robin Jones, Head of FCA Technology – Resilience & Cyber Specialist Supervision. Robin spoke about cyber resilience, contingency planning, moving cyber security considerations beyond the remit of a company’s IT department to its board and creating a security culture in firms.
Giving some background, he told the packed out event with over 100 delegates that, over the last 3 years, there have been around 600 ‘significant’ cyberattacks in the UK and that, over the last 3 months, these are currently happening at the rate of around 10 per week. As an example, the netpetcher attack last year took 19 minutes to infect 10,000 connected systems globally, prompting an analogy to a domestic fire – “If you had 90 minutes which items would you save first?
Whilst there is no ‘one size fits all’ solution to the problem of cybercrime, firms improving their resilience by learning the lessons from recent attacks is critical, as is education and training for staff and board members alike.
As with most problems in life, prevention is better than the cure. Basic cyber hygiene is therefore a first-position tool to help system protection. The FCA, who look after over 56,000 firms in this respect, last year released a joint-authority infographic affectionately known as the ‘ghostbuster guide’ to know who to contact if attacked.
Next up was Paul Hoare, Senior Manager – Protect and Prevent from the National Crime Agency, who began by sharing interesting key facts such as cybercrime now being regarded as a Level 1 threat by the UK Government – with one eighth of UK’s GDP reliant on the web and over 47% of reported crime having a cyber element. He also reported that 92% of cybercrime is enabled through phishing and that 68% of large businesses reported attempted attacks.
As previously highlighted by the FCA speech, Paul emphasised that company training from the ground up is critical for corporate protection. He highlighted this by saying that C-Suite members are usually the ones who are the primary targets of a criminals ‘phishing test’ which can leave firms open to the larger threat of network intrusion.
He finished his speech with the warning that severe cyberattacks can result in firms gong out of business and the incoming GDPR rules in May will further focus minds in this regard.
Next on stage was Terry Wilson from the Global Cyber Alliance, who reiterated the importance of the ‘4 P’s’ – Pursue, Prevent, Protect and Prepare. He made clear that in his view, a major cyberattack on the UK is a case of ‘when’, not an ‘if’, and that many firms are woefully unprepared across all business sectors.
Alongside this he highlighted the myriad of free tools available for firms to use such as collective international efforts from combined agency work to confront, address, & prevent malicious cyber activity. One such example is ‘DMARC’ – a quarantine software that has already been mandated for use by the UK Government across all departments – with the US Government shortly following suit.
He ended by asking if the assembled company had taken all reasonable steps in respect of being compliant with the looming introduction of GDPR and by stating that, whilst the UK is reasonably advanced in cyber security, we are behind in respect of sharing our experience and knowledge within the sector, calling for more sharing of best practice and less selfishness.
The day then went on to discuss other key aspect for the financial crime arena such as the Financial Action Task Force on money laundering, upcoming regulations that firms should be preparing for alongside experiences of a ‘skilled person’ related to the undertaking of S166 and also the top ten tips for whistleblowing considerations.