By Pádraig Hoare
A cybersecurity expert has warned firms must recognise cyber attacks as a “clear and present danger”, as the Central Bank fined an asset management company after it lost €650,000 of a client’s funds in an online scam.
Chief executive of Smarttech247, Ronan Murphy said companies had to accept cybersecurity as an essential part of modern business, as Appian Asset Management was fined €443,000 and reprimanded by the regulator for admitting “significant breaches across client asset, anti-money laundering, and fitness and probity regulation”.
The Central Bank said regulatory failures left Appian exposed to a cyber fraud by a third party where, acting on the instructions of a fraudster impersonating a client, it facilitated a series of transactions resulting in the loss of €650,000 of a client’s funds. The cyber-fraud unfolded over two months during which no one at Appian reported suspicious transactions or fraud reports to the gardaí or Revenue. The client was fully reimbursed after the scam was uncovered.
The Central Bank said had it not been for the financial position of the firm, it would have imposed a financial penalty of €825,000.
Its enforcement investigation found the loss was caused by Appian’s “defective controls to protect client assets against fraud”, as well as “inadequate policies and procedures to monitor transactions, detect and report money laundering and provide its staff with appropriate training”.
The firm also failed to ensure that an employee, performing a role that might expose the firm to financial, consumer or regulatory risk, was fit for that role, the financial regulator added.
The Central Bank’s director of enforcement and anti-money laundering, Seán Cunningham said it was the first time a sanction was imposed where a loss of client funds from cyber-fraud came as a direct result of its own “completely unacceptable” failures.
“Appian’s failures in this case demonstrated serious deficiencies in its governance arrangements, risk management, compliance oversight, and systems of internal control. These failings, combined with a culture in which clients’ instructions were given primacy over security and regulatory concerns, rendered the firm exposed to the cyber-fraud that occurred. It placed client assets at heightened risk and that risk crystallised,” he said.
Europol, the EU-wide police network, has warned the global impact of cybercrime has risen to €2.5 trillion, making it “more profitable than the global trade in marijuana, cocaine, and heroin combined”.
A survey last year by British IT research firm Juniper found criminal data breaches will cost businesses a total of €7trn over the next five years, due to higher levels of internet connectivity and inadequate enterprise-wide security. It found that SMEs were particularly at risk from cyber attacks.
Smarttech247 founder Mr Murphy said: “Jaws drop when you reveal the scale of the problem at conferences and seminars. It is a real and present danger but many firms still are not getting the picture that you simply must have the basics done right.
“Taking out cybersecurity insurance will not make any difference if you cannot demonstrate a proper level of oversight to the insurance auditors. Firms who don’t have that in place are really leaving themselves exposed.”