Insight Reports

Cyber risk management in finance

4 December 2017

The reality is that you will face a cyber-attack. The question is how you manage the number one risk for many organisations.

4 December 2017

Written by

I think that cyber is not a question of just external people accessing information, but also it's about internal people managing information properly and managing their systems accordingly to what they should be doing, without doing the wrong thing.

Cyber on screen: watch the animation in a new screen and listen to Matthew Bowler, strategy and engagement manager, economic & cybercrime prevention centre, City of London Police, share some facts and tips on cybersecurity.


The nature of the cyber risk is ever evolving. As technology changes so the nature of the attacks you face become more sophisticated. However, the principles of management of the risk remain fairly constant. As a finance team you need to be alert to the risks and the sensitivities of the data that you hold.


Cyber risk management in finance


Finance teams own sensitive data. Be this financial data or details of customers and suppliers. Like any part of the organisation finance needs to be alert to the threats, have appropriate prevention and security procedures in place.  


Any cyber breach needs to be appropriately managed. Within increased focus by regulators and the media on the management of breaches organisations face potentially severe reputational damage which needs to be managed. Effective and rehearsed plans to deal with the impact and aftermath of a cyber-attack are an essential part of any risk management strategy.


Implementing cyber risk management


As a first step any organisation needs to understand the data that it holds and the relative sensitivity of it. Whilst there is a need to protect the organisation understanding your data gives you context. An individual needs to be charged with overall responsibility, however protecting the organisation is everybody’s responsibility. 


The activities that an organisation need to undertake fall into three categories:


  • Resilience - protecting the organisation, as far as possible, from the impact of an attack utilising policies and procedures
  • Recovery - the process of managing after an attack has occurred to recover to business as usual as soon as possible
  • Contingency - testing procedures that need to be activated once an attack has occurred and learning lessons from the simulations.

Organisations should not underestimate the recovery phase and the investment required to help you return to business as normal can be significant. With the sophistication of the attacks increasing so the recoverability process becomes a greater challenge. 


As our data flows become ever more complex so we need to rethink our resilience and recovery strategies to ensure that we have managed the risks inherent in our global networks and our supply chains. 




Consider using established guidance such as that in ISO27001 to provide the basis for a cyber-risk management strategy.


Cyber security

Constant forward motion: the evolving phenomenon of cybersecurity regulation and the race to keep up