AMI recommended that firms should treat digital risk in the same way they do regulatory risk – that staff at all levels should have a basic understanding.
It added that cyber risks should be addressed in firms’ overall disaster recovery plans and these should map the steps that need to be taken in the event of an attack or breach, including allocating responsibilities.
How a breach is communicated to staff, to the data subjects who might be compromised, and how to deal with regulators and the press should also be covered.
No sector immune
AMI chief executive Robert Sinclair said: “The global spread of the WannaCry ransomware should be a wake-up call for businesses to review their cyber security infrastructure, as no sector or type of firm is immune from attacks.
“This is particularly relevant considering the implementation of the General Data Protection Regulation next May which requires firms to understand how they hold and process their data, with significant fines for any breaches.
“Our factsheet should be considered a starting point for members, as the National Cyber Security Centre produces extensive guidance for firms on specific areas,” he added.
The guidance is available for members to download and AMI will also include a regular section on cyber security in its monthly member newsletter and signpost to relevant guidance.