2. The list is endless
• In November last year, hackers stole £2.5m from 9,000 Tesco Bank customers
in a raid the UK's Financial Conduct Authority described as "unprecedented".
• In December 2016 Hackers stole more than 2 billion rubles ($31 million) from
correspondent accounts at the Russian central bank and from accounts in
commercial banks, the bank said on Friday, the latest example of an escalation
of cyber attacks on financial institutions around the globe.
• Prof Richard Benham, chairman of the National Cyber Management Centre,
gives a dire warning: "A major bank will fail as a result of a cyber-attack in
2017 leading to a loss of confidence and a run on that bank.”
3. The great cyber-security disconnect
• If it’s so serious why does no-one take it seriously?
• If cybercrime is expected to cost the world more than $6 trillion by 2021,
why do projections for the size of the global cybersecurity market predict
revenues of just $170 billion by 2020?
• Why do the world’s biggest cyber-security vendors only have global
revenues in the $1bn - $1.5bn range, growing at mid-single digit rates?
• If governments are serious about cyber-security, then where are its
ministries? Why are cyber-security resources vanishingly small relative
to other forms of law enforcement?
4. ….more disconnect
• If companies take cyber-security seriously, why does it not look the same as
other things they take seriously (board access/representation, funding,
seniority)
• If collaboration is key then why so few industry information sharing groups
and why don’t they really share?
• If collaboration is key then transparency is key – so why the emphasis on
secrecy?
PS: A secret: secrecy is not a viable strategy in a new era of scrutiny.
“The more secretive [a company] is, the more leaks induce fear and paranoia in
its leadership and planning coterie. This must result in minimization of efficient
internal communications mechanisms (an increase in cognitive ‘secrecy tax’)
5. • Only 5 per cent of FTSE 100 companies have disclosed
having a director responsible for cyber risks despite fears
that corporations are increasingly in danger of becoming
targets of hacking.
• nine in 10 of the FTSE 100 companies identified “one or
more” elements of cyber risk in their disclosures, according
to a study by professional services firm Deloitte.
• 71 per cent of corporations identified IT systems failure in
the principal concerns and 72 per cent highlighted a cyber
attack as a risk.
• 11 per cent of the reports mentioned the creation of a new
role or body to take overall accountability for cyber risk.
• More than half of companies mentioned cyber contingency,
crisis management or disaster recovery plans in their annual
report. However, only 58 per cent disclosed that these plans
had been simulated in test scenarios over the year.
• “The vast majority of FTSE 100 reports acknowledge the
principal risk, but there are wide variations in the disclosure
of cyber risk management and mitigation strategies.” Phil
Everson, head of cyber risk services at Deloitte UK.
6. Seriously?
Advert from LinkedIN
XXXX, from XX Recruitment
Headhunter - Cyber Security
Head of Information Security - Experienced leader with battle scars required for £2bn
London based organisation immediately.
The client will consider contract or permanent members
Day Rate £650
Contract length - Min 6 months.
You have a strong track record in building information security teams, understand
business risk and have operated in companies with 50,000 + employees
7. CISO symbolic?
• Why do so few companies have CISOs?
• Why is the role so random?
• Why do so many CISOs quickly jump ship to the sell-side or no-
where?
• Why do CISOs find it so difficult to get hold of the levers of real
change?
• How can the role be fulfilled equally well by policemen, spies,
tecchies, heads of training, compliance, project managers…….?
8. What kind of CISO do you have?
Risk CISO: Assess risk, the business decides what to do and
buy
Compliance CISO: Write stuff into policy, actions are made by others
on the basis of that policy
Project CISO: Brought in to do PCI DSS and manage that
Threat CISO: There because the business knows it’s a target and has to do
something, but no-one has a clear idea of what
IT Security CISO: Actually a manager in charge of doing low level
technical stuff
18-month CISO: Hired to take the fall (the board knows a train is about to
crash) or
hired to tick a box – 18 months in they’ve no power, no budget,
no point.
Visionary CISO: Experimenting as knows status quo is broken but
probably still floundering.
9. The industrialisation of cybercrime
• The OVH DDoS attack used 150,000 IoT devices. Imagine what a Smart City could
do. Internet threats will be transformed from attacks on confidentiality to damaging
attacks on the availability and integrity of digital and physical systems.
• IoT hacks will become disasters in the real world. And traditional computer and
network security isn’t prepared to deal with them.
• Artificial intelligence and machine learning are the latest buzzwords among
solution vendors. But what happens when the malware developers use the same
technologies to attack? How do we prepare for machine versus machine and
increased automation?
• Are you really ready for the future? The IoT? AI malware? Automated security?
10. Scale changes everything (and it’s only just begun)
• It raises the probability of attack and of loss for everyone which means it becomes a risk
boards start to look at.
• It increases third-party scrutiny, which creates the kinds of financial effects that boards
respond to.
• It makes cyber-security a proper enterprise risk-management problem, not a niche
tech/training problem.
• It means that the role of CISO (or whatever it comes to be called) becomes better
defined It means cyber-security will be transformed as it becomes a fully accepted part
of enterprise business management.
• It means the vendor landscape will dramatically alter because the problem is
dramatically changing.
11. Underestimating scrutiny
• Hedge funds are now publicly shorting companies they see as cyber-weak. Cyber-security will
drive share prices regardless of sector.
• Asset managers lobby for compulsory cyber-audits of investee companies
• Insurers are demanding full disclosure as the first step in providing cyber insurance.
• Ratings agencies and specialist cyber-security raters are scoring your cyber-security efforts in
public and you can’t stop them. How do you work with them to preserve your reputation and
access to markets?
• M&A deals stand or fall on cyber-due diligence. Verizon wants a billion-dollar discount after the
Yahoo data breach.
• Cyber-security is a political football: witness the senators calling for investigations into the
Yahoo data breach, which has also attracted the attention of the SEC.
12.
13. In a recent survey report NYSE Governance Services and
Veracode reported that 85% of directors believe discovery of a major
vulnerability during due diligence would impact their final decision on
a merger or acquisition.
Meanwhile a Freshfields Bruckhaus Deringer survey of global deal-
makers reported that 51% of North American respondents had seen
cyber security becoming a key part of due diligence in the past year,
compared to only 39% in Europe. That figure is likely to be lower still in
New Zealand. It appears that directors are recognizing the issue, but
perhaps not yet addressing it.
Cyber-security in M&A
14. • Cybersecurity companies and investment firms publicly announce
cybersecurity vulnerabilities as a part of a short selling strategy
• Public disclosure of security flaws by companies looking to make a profit.
• Companies may also face additional security threats if they learn of
security vulnerabilities at the same time as hackers, eliminating their
ability to fix the bugs before they are announced to public.
Shorting cyber-incompetence
15.
16. More Regulation
• GDPR: fines are material; re-regulation has made cyber-security a financial variable.
• The governor of New York State has announced sweeping new cybersecurity regulations for
the financial service industry, designed to improve resilience to online attacks and keep
customer data safe. Came into force March 1 2017.
It demands a cybersecurity program that “is adequately funded and staffed, overseen by
qualified management, and reported on periodically to the most senior governing body of
the organization.”
Firms also have to notify the Department of Financial Services (DFS).” of any “material
events” and scrutinize security procedures at third party providers – often a weak link when
it comes to protecting data and systems from attack.
A DFS poll of 40 banks back in 2015 revealed that only around a third mandate that their
partners notify them of any breaches.
17. Ratings scrutiny
• How do you measure the exposure and report on cyber-risk?
• Do you have a robust, well-documented program to monitor cyber-risks?
• How many times was the business the target of a high-level attack during the past
year, and how far did it reach in the system?
• What areas does the bank feel are still vulnerable to attack?
• Does the bank have any third-party vendor oversight? If so, what kind and how
much?
• What is the bank’s readiness with respect to the NIST framework?
• How does the bank ward off phishing and diminish the likelihood of having data
compromised from an internal breach?
18. …. wait, there’s more
• What’s the internal phishing success rate?
• How long has it typically taken to detect a cyberattack?
• What containment procedures are in place if the bank is breached?
• Are emergency scenarios test-run?
• What software or other techniques are used to monitor attacks?
• What kind of expertise about cyberattacks exists on the board of directors?
• How much does the bank spend on cybersecurity, and what resources does it devote? What is the
total tech budget this year versus last?
• What are banks’ capabilities vs peers, and how are they assessed? Is information shared with
peers?
• Does the bank have any insurance to compensate for a cyberattack?
19. Institutional
Investors
• Equity investors – pension funds,
mutual funds, insurance
companies….
• Debt investors – banks, pension
funds, mutual funds, insurance
companies….
"Cyber security is a significant risk to our investee companies. It
is incumbent of us to discuss how company boards are managing
cyber security and their digital infrastructure throughout the
corporate year," said David Patt, senior analyst for corporate
governance and public policy at LGIM.
"We are concerned that many responses we receive to this
major corporate risk are insufficient. Boards need to be more
aware of their operational environment and emerging threats to
their business. Simply put, it can affect a company's value."
20. Governance, CSR, ESG, transparency
• Corporate and social responsiblity
• Environmental, social and corporate governance
• Dow Jones Sustainability Index, Borsa Istanbul Sustainability Index
• Remember L&G?
CVC Capital Partners takes into account the ten principles of corporate governance enshrined in
the UN Global Compact and is in the process of putting comprehensive mechanisms in place to
incorporate ESG issues into investment analysis and decision-making processes.
We are aware that there is significant opportunity to influence corporate behaviour to achieve
improved ESG/sustainability performance through the ownership of its portfolio companies.
CVC believes that best practice on ESG issues both mitigates risk and captures opportunities
that enhances the long-term value of the portfolio companies.
21. Who else?
• Debt and equity analysts at banks, investment banks and brokerage firms
• Independent debt and equity research firms
• Insurance underwriters and brokers who provide traditional and cyber
insurance
• Brand valuation consultants
• Private cyber ratings companies
• The press
22. Solutions failing
“The old world is dying, and the new world struggles to be born; now is the time of monsters,”
Antonio Gramsci
“We’ve done a lot over the past five years and spent quite a lot of money … it hasn’t worked,”
Alex Dewedney, director of cybersecurity at CESG (the info-sec arm of GCHQ )
"The cyber-security industry is fundamentally broken,"
Amit Yoran, President RSA
"Our industry has really failed our market,"
Orion Hindawi, co-founder and CEO, Tanium
Valuing cyber-risk is key to addressing "market failure" around cyber-security,
James Snook, deputy director for business, crime and skills,
Office of Cyber Security and Information Assurance,
UK Cabinet Office
23. "This is not a different type of attacker," said Tanium co-founder and CEO Orion
Hindawi. "It's the same type of stuff we've been seeing for 20 years, just more of
it.”
"Our industry has really failed our market," he told CNBC. "We have, as an
industry, been distracting people and have them focus on advanced threat and
nation-states.”
Hindawi said the cybersecurity industry needs to take a back-to-the-basics
approach. The recent spate of cyberattacks in the headlines don't reflect the
nature of most hacks.
And everyone knows it
24. So can FIs fix it?
• Structure of information technology at banks
• Contractors
• Consultants
• Multiple, scattered, teams
• Complex reporting
• Staff quality issues
• The politics of deadlines and promises
• Culture
• Structure of cyber security at banks
• All of the above
• Cyber security says no versus business says yes
• True management commitment?
25. Conclusion
• Cyber security is a critical issue - you knew that but
It's more critical than anyone realises - if we judge by the current
standard
• It's an existential risk and it's a core business continuity risk
• And it's a core business value risk
• You have to take it seriously
• Your board has to take it seriously
• And that means the whole structure and way you do digital
transformation has to change