At least half of senior executives are apprehensive about falling victim to cyber incidents, with 62 per cent especially wary of a virus or worm attack, according to a recent survey of more than 500 senior executives worldwide by global risk specialist Kroll.
Kroll’s Annual Global Fraud and Risk Report 2018 confirms that this isn’t just a fear whipped up by recent high-profile cases such as the NHS cyberattack in May 2017 – the ongoing threat is real. Eighty-six per cent of the executives surveyed said their companies had actually experienced a cyber incident or information theft, loss or attack over the past 12 months.
In fact, the occurrence of every type of cyber incident the survey included was shown to have increased in the previous 12 months. Nearly four in 10 said their companies had been impacted by a virus or worm attack, while one in three had suffered an email-based phishing attack, 27 per cent had suffered a data breach, and 25 per cent were affected by data deletion.
While cyber crime is having an increasing impact in the business world, it seems private individuals now have relatively less to fear.
The Crime Survey for England and Wales (CSEW) for the year ending September 2017 states that one of the largest contributions to an overall decline in estimated crime was fewer reported fraud and computer misuse offences, where the first year-on-year comparisons showed a fall of 15 per cent. However, the CSEW only measures crimes against the general population.
Compare these figures to the increase in computer misuse crime referred to the National Fraud Intelligence Bureau by Action Fraud, which increased by 63 per cent to September 2017 compared to the previous year (up to 21,745 offences), and the difference is clear. This increase is thought to be due to a rise in levels of malware attacks and security breaches which would not have been captured by the CSEW as the primary victims were organisations rather than individuals.
More than reputational risk
While a successful cyberattack that interrupts business or results in data loss would undoubtedly have a significant negative effect on a company’s standing even now, the upcoming introduction of the General Data Protection Regulation (GDPR) on 25 May 2018 brings with it additional new duties and risks that risk professionals need to take into account.
Under the GDPR there will be duties to notify the Information Commissioner’s Office (ICO) of data breaches. According to the online legal resource Elexica, the largest fine imposed to date by the ICO was £400,000 on TalkTalk, in August 2017. Under the GDPR, the fines now available to the ICO – of up to 4 per cent of annual turnover – will be severe. Where personal data has been leaked, follow-on claims can also be expected.
As companies prepare for the introduction of the GDPR, the ICO has also published its guidance on 12 steps that companies need to take now – well worth a read for all risk managers.
But even under the current regime, it seems that many companies don’t yet have basic defences in place. Elexica’s survey of the FTSE 350 in August 2017 found that more than half of the UK’s largest public companies had not taken the actions recommended by the National Cyber Security Centre to identify cyber security risk, while one in ten lacked a plan as to how to respond to such an incident.
Board involvement is crucial
Risk managers and IT departments cannot fix these issues on their own. The Kroll survey shows that corporate cyber security is rapidly becoming a board governance mandate as the anticipated likelihood of an incident grows alongside increasing regulatory pressures and costly reputational risks associated with data privacy and data loss events.
In response to the rising threat and implications of cybercrime, the National Cyber Security Centre has published guidance on board level responsibility, which reminds executives that proactive management of the cyber risk at board level is critical, as it impacts share value, mergers, pricing, reputation, culture, staff, information, process control, brand, technology and finance.
The guidance asks boards to address questions such as:
Fewer than half (46 per cent) of executives responding to the Kroll survey currently involve the board of directors in the formulation of cyber security policies and procedures, and another 40 per cent plan to do so in the next 12 months.
Given the looming threat of cybercrime and its financial and reputational implications, it is right that boards should become more involved in decisions around cyber security in this way, and risk managers should ensure that not only has their company done all it can to guard against cyber risks, but also that their executives understand and shoulder that responsibility going forward.
The increasing potential impact of an attack, and the accountability at board level for the repercussions should one happen, mean that this engagement is essential.