‘Not all cyber threats come from the outside’

Adam McElroy, Deloitte UK lead for identity and access in financial services, said external cyber threats remained but that not all risks came from the outside.

During a presentation at the recent Channel Islands NEDs Forum in Jersey, he also warned that non-executive directors faced a host of cyber issues to consider.

‘There is an increasing trend for individuals to compromise the integrity of their organisations. This might be direct and deliberate actions by activists,’ said Mr McElroy.

‘However, often internal cyber issues come from errors made by staff who make a genuine mistake or need more support or training for their role.

‘Eighty percent of insider cyber threat is not malicious. Continual investment in training and digital skills for staff should be highlighted at board level,’ he said.

Mr McElroy also said that NEDs needed to be equipped to answer a host of questions around cyber-security – pointing to ransomware as an example.

‘If you are an officer of a company or a NED you may need to debate the question of paying a ransom, but what about anti-terrorism or anti-money laundering regulations? How might you pay in cryptocurrency?

‘Should you even consider paying a ransom and where can you get legal advice? These are questions that NEDs might need to answer and must be equipped to consider, now and in the future.

‘Boards should expect a growing level of scrutiny from regulatory authorities and other stakeholder groups in how they deal with cyber risk.’

NEDs also needed to consider their personal cyber security measures.

‘There are many resources available to NEDs and executives and, in summary, we believe the best form of defence is defence,’ said Mr McElroy.

Helen Gale, a partner at Deloitte, told the forum that information security is one of the most challenging topics boards are currently facing.

‘If NEDs in the Channel Islands are to retain their quality and competitive edge, it is critical to keep abreast of topics like cyber risks,’ she said.