From Hope to Action: Tackling Cyber Risk in Financial Services
This is not based on headlines or scare tactics, it is based on what we have seen first-hand. Over the past few months alone, Waystone has either been made aware or helped clients respond to more than 15 cyber-related incidents.
These were not isolated cases. They cut across different sectors, firm sizes, and business models. And in most cases, the breach did not start with a sophisticated hack, it started with something small, overlooked, or wrongly assumed to be “under control”.
Whether you are in asset management, insurance, wealth advisory, or investment services, one thing is clear: you need to be prepared before, not after, an incident occurs.
The Basics of Readiness, Without the Buzzwords
A well-functioning Cyber Risk Management Framework (‘CRMF’) is not a document that sits in a policy folder. It is something that actually guides how your firm operates day-to-day. It should help you prevent what you can, detect issues early, respond quickly, and recover with control and transparency.
From the work we have done recently, here are the things that really matter.
Tip: do a short exercise. Ask each team what platforms they use, where they store data, and what would happen if those systems went down. The results are often surprising.
Tip: run a tabletop exercise. Make it realistic. Simulate a phishing attack or account compromise. See what happens when you walk through the actual steps with your team.
Tip: make training relevant. Show real phishing examples. Talk about how attackers imitate trusted contacts (e.g. SEO/CEO fraud). Build this into onboarding and regular staff refreshers.
Some firms have gone the extra mile and tried to get a fake invoice paid, or change an existing clients bank details through email. With clear oversight and controls in place, these scenarios can serve as another way of testing your controls. Would yours pass?
Tip: ask yourself now: If this happened to us, could we explain what went wrong, show the audit trail, and demonstrate how we fixed it? Does your breach register clearly evidence this and was a breach report completed and signed off?
Tip: put cyber risk on your next board or EXCO agenda. Start with a short, plain-language briefing on the top risks and your current controls. Then talk about what’s missing.
On that point, the budget is always going to be a concern, but the cost (e.g. fixing the issue, time to report, update regulator, produce reports, loss business, etc) of incident or breach could be double or more that asking a third party to assist!
Tip: review your vendor list. Are cyber risks considered in your due diligence? Do your contracts include clear expectations? Would you know what to do if a third party suffered a breach?
Tip: keep an internal log of incidents and near misses. Use it to evolve your controls and update your CRMF. It shows maturity, and it strengthens your position if you’re ever asked to explain your approach.
We Have Seen The Effect of Cyber Incidents First Hand
The number of breach responses that Waystone has supported in just the past few months is more than we saw over the entire previous year. That trend should concern every firm operating in the regulated space.
But the good news is, preparation works. The firms that had tested plans, clear escalation paths, and trained staff were able to manage their incidents with confidence and transparency. Others needed more support, and that is exactly where a partner with real-world experience can make a difference. Once again, the point is not to eliminate all risks, because that’s simply not possible, but rather to ensure that the firm is prepared. The difference in impact between being prepared and unprepared when an incident occurs is like night and day
A Better Question to Ask
Too many firms still ask, “do we have a cyber policy in place?”, however, a better question to ask is, “if we were breached tomorrow, would we know exactly what to do?”
If the answer is no, you are not alone, but now is the time to act.
You do not need to become experts overnight. But you do need to know your gaps and take steps to close them. A targeted cyber review, gap analysis, or response walkthrough tailored to your firm can mean the difference between a controlled incident and a regulatory headache.
Being prepared does noy guarantee you will avoid an incident. But it does mean you will be ready when (not IF) it happens.
The Waystone Cyber Security Team is well-equipped to assist organisations in navigating the complexities of these regulations, implementing effective cybersecurity frameworks, and staying ahead of both global and regional cyber threats. Contact us today to learn how we can support your firm in building a robust and compliant IT risk management strategy.