A lack of basic cyber hygiene is leaving companies open to criminal attacks, despite regulators’ best efforts to help them to increase their operational resilience.
Over the past six years, the UK’s Bank of England has implemented a strategy of simulation exercises, penetration testing, and international collaboration to help organizations to counter the risk of cybercrime.
But even though cyber resilience is improving, there are still too many organizations facing basic cyber hygiene issues, such as failing to manage vulnerability and store information properly, configuring IT infrastructure poorly, and managing user accounts and passwords badly.
According to Lyndon Nelson, then Deputy CEO and Executive Director, Regulatory Operations and Supervisory Risk Specialists, at the Bank of England, poor cyber hygiene is at the root of more than 80% of successful cyberattacks on firms.
He’s supported by Graeme Newman, Chief Innovation Officer at London-based insurance provider CFC, who told the Financial Times: “Everyone has to recognize that the cyber threat environment is significantly worse than it was two years ago, and therefore you can’t exist in this market without what I consider the most basic controls. Yet we are seeing large corporates come to market without the basic controls in place.”
Nelson urges all organizations to treat cybercrime as a business risk, fully engage with it, and prepare themselves to recover quickly from an attack.
“For many, if cyber is not the number one risk in their risk register, it is the fastest rising,” he began.
Increasing attempts of cyberattacks
And it should be, if only because the cost of cyber insurance is rocketing as the number of cyberattacks increases. That means companies now face assaults on two fronts: the cost of the cyber risk and the cost of insuring against it, which, according to insurance broker Aon, jumped by 27% in April and May 2021 compared to the same time the previous year.
This steep increase in the cost of premiums is mainly due to a spate of high-profile ransomware attacks during 2021, including ones that targeted the Irish healthcare system, a major US fuel pipeline, meat supplier JBS, and European insurance giant Axa.
As well as increasing the cost of premiums, cyber insurers in the UK (who now provide emergency support and financial compensation in the event of an attack) are also asking clients tough questions about their controls and security measures, going as far as refusing to provide coverage to those that don’t meet their criteria.
“If clients have very, very low controls, we may not write coverage at all,” Tracie Grella, AIG’s Global Head of Cyber Insurance, told the Financial Times.
“But mostly what we’re doing is reducing the cover that we’re offering, so, if clients do not meet the control level that we are looking for, we will have to reduce our limit with respect to ransomware by half.”
In the US, a report by the Government Accountability Office revealed that insurers are reducing coverage for sectors such as healthcare and education.
Need for anti-cyber risk measures
Both insurers and regulators are using a combination of different incentives to try to get companies to strengthen their anti-cyber risk measures. The Bank of England has had a strategy of addressing operational resilience in terms of assessment, capabilities, and coordination since 2015.
As part of the assessment strand of its cyber risk strategy, the Bank has developed a threat-led penetration testing framework – CBEST – to assess organizations’ resilience. CBEST has become its flagship cyber resilience testing program and is now on its second cycle.
Nelson says that establishing CBEST was “truly pioneering work to combine ethical hackers with the latest threat intelligence to provide the best efforts to pick the technology lock of our 40 largest firms”.
CBEST constantly evolves to mirror the “very dynamic nature” of cyber risk, and is now focusing more on malicious insider and supply chain risks.
Nelson says the Bank of England has also helped the G7 publish its Fundamental Elements for Threat-led penetration testing, which has provided a platform for international collaboration on cyber risk.
It has worked with the European Central Bank and other European authorities to conduct CBEST across jurisdictions and to align with other frameworks, such as TIBER-EU. “This gives us a wider scope of action (for example, the ability to look at threats linked to vulnerabilities present on assets in other jurisdictions) and reduce firms’ burden of effort,” says Nelson.
And, as part of its Financial Policy Committee’s (FPC) cyber agenda, the Bank is developing a new type of regular assessment to assess organizations’ operational resilience and its impact on the FPC’s core strategic goals. This stress test, Nelson says, looks at organizations’ response to cyber risk and their ability to recover after an incident.
Exposing and identifying the weaknesses
The next stress test will be carried out next year and will involve a scenario of compromised data integrity within the end-to-end retail payments chain.
Severe but plausible scenarios are also used for simulation exercises – or war games – and these exercises are a key part of the Bank of England’s cyber risk strategy, Nelson explains. “They build capabilities internally and across the sector. They provide an opportunity to rehearse assigned roles and responsibilities and build muscle memory such that reactions become instinctive and measured. They provide a safe environment to prepare for known threats, play out scenarios in ‘slow time,’ and identify weaknesses that a crisis might otherwise expose.
“Exercises can also be used to demonstrate or validate response capabilities, with a focus on managing the impacts regardless of cause.
“The UK is a world leader in its exercise program. Being an observer at one of our exercises sometimes seems like the hottest ticket in town, and we have helped many jurisdictions take their first steps in this important part of the toolkit.”
The Bank of England’s domestic exercise program, covered by the Cross Market Operational Resilience Group (CMORG), aims to help the financial sector become more resilient and respond to operational incidents more effectively.
The Bank’s exercises have included a pandemic, a prolonged outage at its High Value Payment System, and a “significant” cyberattack. It has also run international exercises for the G7.
Nelson acknowledges the challenge of coordinating an exercise involving 23 financial authorities in eight jurisdictions but says the challenge of implementing a program of extensive collective action was far greater.
“There is no operator of last resort function in Threadneedle Street and no facility that can take in an operationally paralyzed bank on Friday and turn out a fully functioning bank on Sunday night, ready to open the next day,” he says. “This leaves an extensive agenda for collaborative responses between industry and the authorities.”
Several working groups had been set up to “collaboratively and collectively address cyber risk,” including the Financial Sector Cyber Collaboration Centre, which aimed to proactively identify, analyze, assess, monitor, and coordinate action on cyber risk.
“Addressing cyber risk is to put oneself inside an Escher drawing and, in particular, the Penrose steps, where we are constantly walking up the stairs and not reaching the top,” Nelson says. “This is the nature of the risk. It has a conscious opponent determined like a liquid to pour through cracks and find the lowest level of your controls and exploit them.
“If the risk adapts, so must the response. Our testing and exercising have steadily demonstrated improvements in cyber resilience, but there are still too many instances of failures in what one might call basic cyber hygiene.”
Implementing good cyber hygiene
These cyber hygiene issues were found in large and small organizations with IT infrastructures of all sizes, complexities, and budgets. They make organizations vulnerable to cyberattacks and data breaches that can affect users, administrators, and connected devices on thousands of servers around the world.
Nelson says it is important for regulators to build tools that would help smaller firms to assess and mitigate cyber risk and not just focus their efforts on large organizations that could cause systemic risk. The Bank of England was developing a testing strategy and framework that would allow it to assess more organizations more often. It would include a “more approachable” CBEST-style test that would suit a wider range of financial sector organizations.
There is also some expectation that, while companies may not be taking steps to protect themselves adequately against cyber risk, governments might intervene to try to kill off attacks, by paying ransoms, for instance, provide more security services, and even provide financial support.
So what are Nelson’s predictions for the future of cyber risk testing?
- A full roll-out of the Bank of England’s operational resilience policy.
- More momentum for collective action as the financial services sector tackles issues such as preventing data corruption and responding to a large bank being operationally paralyzed.
- A more mature international approach.A suitable regime for critical third parties.
- The changes he would like to see include:
- All organizations take cyber seriously as a business risk.
- Firms prepare properly to be targeted and test their ability to quickly recover from an attack.
- Organizations and regulators working together to combat cyber risk, actively sharing information and building common capabilities.
- Organizations working with suppliers and other third parties to identify, assess, and mitigate cyber risk in the supply chain.
- Enough trust develops between regulators and firms to enable a strong and agile response to cyber incidents.
- The UK continues to set the benchmark for an operationally-resilient financial services sector.
Lyndon Nelson was addressing the City & Financial Operational Resilience and Cyber Security Summit in London in 2021.