Barclays and Interpol link highlights proactive approach needed on cyber risk, says expert

Closer links between Barclays and Interpol are indicative of the proactive approach needed from all companies in the financial services sector to address cyber risks they face, an expert has said.

Earlier this week Interpol announced that it had reached an agreement with Barclays that means that staff from the bank work full-time at the law enforcement agency's Cyber Fusion Centre.

The Centre "provides a neutral, global platform for law enforcement, the private sector and academia to work collaboratively, sharing actionable threat information and developing operational responses", Interpol said. Barclays is the first financial services company to join the information sharing initiative.

Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said: "There is broad acceptance across the business community, and particularly within the financial services sector where valuable financial data is held, that criminals will target their organisation with malicious software and other technical tools in a bid to gain access to their systems,"

"Barclays' proactive approach in collaborating with Interpol and others at the Cyber Fusion Centre is consistent with the general attitudes on cyber risk across the rest of the sector and should encourage other banks, insurers and investment firms to take their own steps to improve cyber risk information sharing," Birdsey said.

Birdsey said that there are a range of initiatives either already operational or in the pipeline aimed at improving resilience to cyber risk through better collaboration. He highlighted moves to coordinate cyber security testing across the UK and US financial services market, as well as a November 2015 report by a committee of international body the Financial Stability Board which said thatoperators of financial market infrastructures could "strengthen their own cyber resilience" by collaborating with their peers or technology companies.

Birdsey also pointed to European Commission proposals to establish a new public-private partnership (PPP) on cyber security in 2016, as well as new EU legislation that will encourage better information sharing by banks and some other financial institutions on cyber risks.

The Network and Information Security (NIS) Directive will require banks and other operators of essential services to report serious cyber incidents they experience to regulators or Computer Security Incident Response Teams (CSIRTs) which each EU country will require to establish under the new framework. It is envisaged that the establishment of CSIRTs would enhance existing cross-border information sharing arrangements on cyber risk.

In the UK, all organisations are encouraged to participate, on a voluntary basis, in the Cyber Security Information Sharing Partnership, where information on cyber threats and known vulnerabilities are shared with members.

"It is not uncommon for attackers to infiltrate systems and networks for a prolonged period of time before the company concerned is alerted, whether by its own internal security team or third parties," Birdsey said. "Given the significant costs typically involved in responding to and managing a data breach, which can run into the tens or hundreds of millions of pounds, inevitably prevention is much better than cure."

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, has previously pointed to there being legal "grey" areas between data protection rules designed to protect privacy and financial services regulations that mandate the disclosure of personal information in the interests of combating financial crime.