Financial institutions are one of the more savvy industries, as far as cybersecurity and awareness of ransomware threats are concerned. According to the 2024 cyber security breaches survey, finance SMEs are some of the most likely organisations to seek outside consultation and to be concerned over growing ransomware threats.

That’s why it’s important to dot the i’s and cross the t’s when creating a proposal for cyber security coverage for financial institutions in the UK. Anything less than full understanding of their situation and the concerns of their industry will result in failure.

So let’s examine the reasons why cyber insurance is relevant for financial institutions in the UK.

The biggest risk for financial institutions is social engineering, sometimes with internal help. There’s a reason so many institutions stress proper procedure and information handling. Many of them go to great lengths to make sure that no one person can manipulate data.

But even without inside help, hackers can use spear phishing to do highly targeted attacks on people with the network access that they need. They create highly customised messages targeting insiders, inviting them to visit fake websites and leave their information.

Firms that rely on the stock market are also concerned about distributed denial of service attacks, or DDOS for short. Slowing trades by even a fraction of a second can mean hundreds of millions lost.

The bigger firms normally have dedicated high speed connections to the exchanges, but this might not be the case for some SMEs that are still growing. Either way, customer gateway outages, whether or not it’s the company’s fault, can result in severe reputational damage for the firm. The only time this isn’t the case is when entire exchanges go down, like in the recent stock exchange attack in Taiwan.

Most UK financial institutions have the basics covered, but sometimes they skip over the data sanitation details. This is how many hackers gain a foothold, getting data from old phones, hard drives, solid state drives, and USB sticks that haven’t been properly shredded, degaussed, or destroyed. They need to be constantly vigilant about how their data is erased to make sure there’s no possibility of recovery by attackers.

Outside the normal targets, financial institutions intentionally have public endpoints such as ATMs and kiosks. That means they need to worry about software and firmware version control, so that they can constantly patch security flaws.

If these devices are not networked, someone has to physically visit these endpoints on a regular basis to make sure they’re on the latest patchlevel. Firmware attacks have been on a sharp rise since 2021. It’s one of the most often overlooked aspects of cyber resilience.

Related: Any institution that keeps a physical asset or representation of wealth on site (bearer bonds, gold, offline crypto keys, etc.) needs to worry about access control security as much as any bank would. Not all cyber security hacks remain in cyberspace… some involve a much more personal and immediate presence at the end of the hack. This is a risky and expensive attack, but if the medium is easily transported and worth several million pounds, it would be worth the risk to the attacker.

Even without any physical wealth assets on site, impersonation attacks via a compromised access control system are a real threat. All it takes is the mobile phone information for a key employee and one clever phishing attack. Just look at what the Lapsus$ hackers did in just two years with cloned SIM card attacks, taking down a dozen SMEs and multiple Fortune 500 companies to boot.

UK financial institutions, large and small, are in the spotlight for a few different reasons. The Pound is a strong currency, and London has been a financial powerhouse for centuries. By the end of the 19th century, half the world’s trade was conducted in Pounds Sterling.

This has translated into the modern age in a unique way: London is the world’s second strongest FinTech (financial technology) powerhouse, just behind the gurus in Silicon Valley.

That means there’s a ton of potential targets for hackers and social engineers in London alone, nevermind the wider expanses of the nation. In short: UK financial institutions are in the crosshairs. They’re seen as rich, soft targets. Cyber insurance is one of the ways to help mitigate this increased cyber risk.

A full cybersecurity and physical security audit is needed for any UK financial institution considering cyber insurance. It’s assumed that the basics will already be covered, including multi factor authentication, anti-phishing training, and network intrusion monitoring. Of course, if any of the above are lacking, they need to be rectified before a policy is issued.

A common area where financial institutions fall behind is software and firmware updates. This is in addition to the above-mentioned ATMs and kiosks, extending into critical systems such as databases.

Financial institutions hate system downtime, even when it is logically necessary to avoid undue risk. So patches often get delayed for weeks or months. This is a mindset that needs to be changed. The risk of opening the company up to exploits just because they can’t go through a sane testing and patching routine is simply too great.

This means deploying potential software updates to a test environment first, and simulating the peak daily and monthly load on the new configuration. Yes, this is more expensive than live deployment, but every small change needs to be tested first in order to avoid opening up even more security issues due to a misconfiguration or the overtaxing of a critical system that would compromise the firm’s cyber defence in depth.

Once the audits come back clean for all of the basic and more advanced cybersecurity measures that UK financial institutions need, a cyber insurance policy may be issued.

Almost every financial institution in the UK will be looking for comprehensive cyber insurance, given the customer-facing or BtB nature of most SMEs. It’s highly unlikely that they already have insurance that partially covers them from the fallout of a cyber attack, unlike some verticals that have mandatory coverage from a central authority. The term ‘financial institution’ is just so large that no one insurance type would cover every facet of their operations. So it’s wise to start with a comprehensive policy and prune it down as needed if any double coverage is discovered.

Optimum Speciality Risks provides brokers with a range of comprehensive cyber insurance plans that suit financial institutions in the UK. They’re designed to cover both common cyber threats and compliance-driven legal liabilities. Additionally, the employee education resources are invaluable to SMEs who might not have their own ongoing anti-phishing training.

Questions? Feel free to contact OSR for a consultation.