Brian Pennington

A blog about Cyber Security & Compliance


cyber attacks

UK banks and financial market infrastructures have experienced cyber attacks

In the Bank of England’s 2013 H2 Systemic Risk Survey Banks and Financial organisation highlighted operational risk as one of the main risks to UK financial stability.

The majority of the respondents cited cyber-attacks from individuals or groups seeking to exploit vulnerabilities in IT systems for financial gain or to disrupt services as a significant threat.

The report states In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services. While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities. If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions

In June 2013 the bank of England said:

HM Treasury, working with the relevant government agencies, the PRA, the Bank’s financial market infrastructure supervisors and the FCA should work with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber attack

Perceived Risks from Cyber Attacks have risen strongly

Bank of England Chart

HM Treasury, other government agencies and financial authorities have formed a Cross Market Operational Resilience Group who will work to assess, test and improve cyber resilience across the core parts of the UK financial sector.

On the 12 November, under the supervision of the Cross Market Operational Resilience Group, an exercise called Waking Shark II took place to test the financial sector’s response to a sustained and intensive cyber attack It was an industry led exercise; supported by HM Treasury, the Bank of England and the FCA and several other government agencies. The report on the outcomes and lessons will be issued in early 2014.

94% of all data compromised involves servers

Is Your Business Safe From Cyberattacks? An excellent Infographic from Imperva shows the seven stages of a targeted attack and makes eight recommendations on how to protect your data.

Is your business safe from a cyber attack

Customers are demanding suppliers prove their security credentials

IT Governance surveyed 260 board level individuals across a variety of industries and countries to establish perceptions and knowledge of their organisations IT Security position.

The findings of the survey are below:

Do you believe the greatest threat to your company’s data and IT systems results from:

  • Criminals           26.9%
  • Competitors      7.7%    
  • State -sponsored cyber-attacks 11.9%
  • Your own employees     53.5%

Has your business received a concerted cyber-attack in the past 12 months?

  • Yes      25%
  • No        54.2%
  • Do not know     20.8%

Does your organisation have any method of detecting and reporting cyber-attacks or cyber-incidents?

  • Yes      76.9%
  • No        16.5%
  • Do not know     6.5%

Do your company’s board directors receive regular reports on the status of your company’s IT security?

  • Yes      58.1%
  • No        29.6%
  • Do not know     12.3%

If yes, are these reports received:

  • Daily     4.6%
  • Weekly 10.8%
  • Monthly            32.7%
  • Annually            17.3%
  • Less than annually         34.6%

My knowledge of IT governance is adequate given today’s cyber threats.

  • Agree   69.6%
  • Disagree           30.4%

For our size of business, we are making the right level of investment in information security.

  • Agree   57.3%
  • Disagree           30.8%
  • Do not know     11.9%

I have lost sleep in the past 12 months because of worries about my company’s IT security.

  • Agree   25.8%
  • Disagree           4.2%

Do your customers prefer to deal with suppliers with proven IT security credentials?

  • Yes      74.2%
  • No        7.3%
  • Do not know     18.5%

Have any of your customers enquired about your company’s IT security measures in the past 12 months?

  • Yes      50.4%
  • No        34.6%
  • Do not know     15%

Do you know what ISO 27001 is?

  • Yes      87.3%
  • No        9.2%
  • Unsure  3.5%

Is your business compliant with ISO 27001?

  • Yes      34.6%
  • No        45.8%
  • Unsure  19.6%

The survey can be found here.

Disclosure rules clarified, or made more confusing?

Seal of the U.S. Securities and Exchange Commi...
Image via Wikipedia

Following the UK’s Information Commissioner’s call for compulsory audits and Disclosure Laws in France and Germany the US Securities and Exchange Commission (SEC) has release a statement containing Disclosure Guidance.

In setting the scene for their Gisclosure Guidance the SEC points out the risks and results of a Cyber attack,

Victim(s) to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:

  • Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused.
  • Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
  • Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
  • Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
    Litigation; and
  • Reputational damage adversely affecting customer or investor confidence

When identifying the situations when a post Cyber Attack disclosure is required the SEC notes the following:

  • Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.
  • Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
  • If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant’s “Description of Business.”
  • If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its “Legal Proceedings” disclosure.
  • To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary.

As with other governmental “guidance”, the overall theme is slightly vague. Even the initial summary raises the question “why offer the guidance if it has no meaning or enforcement“.

This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.”

It is going to take an organisation to suffer a data breach and then not deal with the resulting fall-out in a professional and appropriate way for the SEC to step in and make an “example” of them. Then the case will be proven and the vagueness will be taken out of the guidance, hopefully.

As always, the answer is prevention it is better than the cure. Some simple precautions are below:

  • Policies. Ensure your staff know how to deal with data and to know what to if a breach of suspected breach occurs
  • Procedures. Documented and test procedures for data handling, change management, etc
  • Security Solutions.  Do not rely on Anti Virus and Firewalls, implement access controls, Security Information & Event Management (SIEM) and of course Encryption.
  • Audits. Regular and thorough audits or people, processes and solutions
  • Incident response planning and testing. No matter how much time and money is invest in prevention things can go wrong and it is how an organisation deals with the incident that can be the difference a good or bad outcome.

The SEC’s full statement is here.


Create a free website or blog at

Up ↑

%d bloggers like this: