Cyber, cyber security and cyber risk management are in the headlines almost daily. In the context of countries hacking countries, data breaches through data theft, States and companies being held to ransom or individuals having personal data stolen and published online. We live in what many call the 4th industrial revolution, in a society which has become dependent upon the consumption of data and use of information and technology. In developed economies, governments, organisations and individuals rely upon technology platforms, data and information to manufacture and sell products and services, provide healthcare and manage financial transactions. To deliver basic services like gas, water or electricity, to access online banking, hail a taxi or to purchase a film to watch on the mobile phone. Data has become a commodity and if the flow of data and information are disrupted, trade flows slow or stop. What happens if you have power, but you disrupt the flow of information and data? With no data how do you distribute food if you cannot get the message to the distribution centre? How do you pay for shopping at the grocery store, how do you withdraw money from the ATM and how do banks transfer money between each other globally? Alongside the growth in data consumption and our reliance upon the use of technologies such as the internet, mobile communications and digital. The cyber threat has grown.
Cyber-attacks, a global problem everyone is talking about. The World Economic Forum (WEF) annual report of global risks places cyber-attack as one of the top 5 risks behind extreme weather events, failure of climate-change mitigation and adaptation, natural disasters and data fraud or theft. With the potential to have a significant global economic impact in the next 10 years. Cyber-attacks are a geopolitical weapon with countries targeting countries, countries targeting corporations and countries targeting individuals. The use of cyber as a weapon of warfare is gaining prominence, nation states are targeting power networks or using cyber to support conventional military campaigns. Cyber-attacks are a well-run criminal activity.
The global cost of cybercrime is estimated in the region of $600Bn
The global impact of cyber-attacks is estimated at 0.8% of global GDP and rising. It is more profitable than drugs and people trafficking combined and with the source of cyber-attacks being difficult to detect, harder to prosecute. Cyber is a well-managed economy with its own structures for the targeting of nation states, corporations and individuals. With an ecosystem for the trading of personal data, the buying and selling code to illicit cyber-attacks, the buying and selling of cyber-attacks (Cyber as a Service) and the trading of intellectual property (IP) and private information.
Cyber risks, can significantly impact the balance sheet. This makes cyber a significant risk to understand and manage across a company. NotPetya was a global cyber-attack which took place in 2017.
The global cost of NotPetya has been estimated in excess of $3Bn
The companies it impacted suffered considerable damage, Maersk reported losses of around $300Mn and Merck of over $800Mn. Costs which impacted both the top and bottom line. such as the costs to fix the issues identified in the attack, communicating and compensating customers, lost revenues and sales, the associated brand and reputational damage and the on-going legal costs. The legal fallout of a cyber-attack can run for several years and the impact to corporate brand will never disappear. Target, a well-known US retailer has not lost the reputation it gained following its cyber-attack in 2013. The attack on Talk-Talk in 2015, still warranted column inches in the UK national press in June 2019. There is growing evidence that the share price of companies is affected by a cyber-attack and credit rating agencies are running programmes to evaluate the impact of cyber security on credit scoring, which will have a direct impact on the cost of credit for companies in the financial markets.
Cyber risk management, firmly on the board table with the balance sheet. Cyber now sits on the board table and the long-term prognosis for cyber and the board is clear. Cyber as a risk is not going away, it will only become a more significant risk as the digital economy grows. The cost of regulatory compliance will increase, with regulators from many sectors focusing on cyber risk management. The ICO recently released enforced EU GDPR regulation, with intentions to fine both British Airways and Marriott hotels for data breaches in 2018, fines which I am sure their legal teams will be negotiating.
To find out more about cyber risk management and what the board should know contact: Andy Watkin-Child Or Richard Chiumento on 020 30438645