in collaboration with Andy Ng, EY EMEIA Cyber Partner
Published 27 October 2022 in Magazine • 10 min read • 
Audio available
What we know about cyber-risk from public sources is just the tip of the iceberg. Nevertheless, the known dangers are sufficiently grave to have seized the attention of senior corporate executives worldwide. There is a huge amount at stake for businesses, both financially and reputationally. Estimates vary widely, but almost all put the current annual cost of cybercrime to business globally at over $1 trillion. The most commonly cited analysis predicts that, by 2025, that number will reach $10.5tn.
Several dangers have an understandably high profile in the media and boardrooms. Ransomware currently tops almost every list, given the highly substantial payoffs that hackers can demand. In 2021, CNA Financial, a Chicago-based insurance company, handed over $40 million.
On top of any ransom come the potentially higher costs of the business downtime that usually follows an attack, which typically lasts around three weeks. And cyber-risk is growing exponentially. In EY’s 2021 Global Information Security Survey, 77% of respondents reported an increase in disruptive attacks such as ransomware over the preceding year – a rise from 59% in the 2020 survey.
Being caught in the crossfire of geo-political conflict, such as the Russia-Ukraine war, is another current worry. This is prudent: worldwide collateral damage from the 2017 NotPetya virus, likely created as a Russian attack on Ukraine, totalled billions of dollars. Meanwhile, companies have had to react to a tsunami of data-privacy regulation. A Gartner study predicts that, by next year, 65% of the world’s population will have its personal data covered by modern data privacy regulations, such as the EU’s GDPR. In 2020, that figure was just 10%.
However, while boards understand that these and other individual cyber-risks exist, they frequently fail to see the bigger picture. Too many executives conceptualize the dangers as a series of sizable technology challenges. Boards, in contrast, tend to gloss over technology problems or treat them as a responsibility that lies elsewhere within the company. As a result, rather than developing a holistic, business-wide strategy to tackle cyber-risk, the response can seem like a high-stakes game of “whack-a-mole”, with technological fixes cobbled together to address each threat as it pops up.
This kind of approach constitutes a failure to appreciate the sheer breadth of cyber-risk; the dangers affect not only IT systems but every aspect of business. Executives must understand that far more than data is at stake. Physical and cyber-spaces are now inextricably intertwined. A hack of a hotel chain, for example, could just as easily compromise key cards to provide access to rooms as they could record keystrokes that result in a leak of confidential data. The risks here go far beyond compliance. In such an environment, the already substantial reputational costs of a data breach will only multiply.
There are some key aspects of cyber-risk that may still be under-appreciated but are crucial to helping boards and executives assess how best to prepare an organization’s defenses in the face of proliferating threats.
One is that a hack isn’t necessarily the work of an outsider. Corporate insiders pose a significant cyber threat, accounting for 28% of breaches, according to respondents to the 2021 EY Global Information Security Survey. The survey also indicates that this number is growing. If history is anything to go by, the current economic turmoil could drive even more employees to perpetrate such desperate acts.
Trusted partners and clients may also pose substantial threats. We know of one British plastics molding company that went out of business after an overseas customer used its privileged access to another firm’s IT systems to steal intellectual property. Armed with this information, the customer went on to become a cut-rate competitor. It is extremely unlikely that this story is unique.
Rather than developing a holistic, business-wide strategy to tackle cyber-risk, the response can seem like a high-stakes game of whack-a-mole, with technological fixes cobbled together to address each threat as it pops up
An insider might also be a vector through which other bad actors can take advantage, including through their personal IT tools or via social engineering tactics. Criminals no longer limit themselves to a business’s in-house hardware, and have grown increasingly sophisticated in detecting, understanding, and attacking weak points in a business’s technological ecosystem.
As a result, vendors and other third parties throughout the supply chain also offer a way in. Rather than attacking a target company directly, hackers research the target company’s supplier network. They then look for the weakest link, which allows them to break into the rest of the chain. Moreover, an increasingly popular approach is to slip malicious code into software suppliers’ products, potentially providing access to hundreds of supply-chain networks.
Once embedded within corporate systems, criminals have also begun to show an unnerving degree of patience. In 2018, a leader in the hospitality industry suffered a major data breach, which involved confidential details of 500 million guests. This occurred following an acquisition of a company that had already been infiltrated prior to the deal, affording the hackers easy access to the combined entity. We also know of cases where, during merger negotiations, hackers have broken into the smaller company’s less-well-protected systems, so that, following the merger, the hacker ends up with access to the IT system of the combined firm.
As the above makes clear, cyber-risk can affect the whole ecosystem — including human resources, sales, and purchasing — even mergers and acquisitions. As business units and departments become more closely connected and silos break down, cyber-risk will be a threat to the whole business.
Digital transformation brings with it a range of opportunities. However, everything that is digital – including the vast array of sensors and artificial intelligence (AI) tools that companies now deploy – is a potential target. Nor are hackers showing a lack of ingenuity or ambition. In 2017, Darktrace, a cybersecurity consultancy, reported that criminals had infiltrated a US casino’s entire system via a weakness the hacker had detected in an automated fish-tank thermometer, ultimately securing 10GB of data.
Unfortunately, an organization’s wider digitalization efforts rarely accord cybersecurity the attention it merits. In fact, while the pandemic drove increased digitalization, 81% of executives admitted that it also forced their organization to bypass certain cybersecurity processes or controls.
All this is to underline that companies must recognize that cyber-risk has become a strategic threat, rather than simply an operational one. Those that fail to accept this reality may soon have it forced upon them in any number of ways, with a harshness from which they will find it difficult to recover.
Just as regulation put environmental, social and governance (ESG) issues on boardroom agendas, so it will do for cybersecurity. “Soft” law is already growing, such as the IEC 62443 standards that cover cybersecurity requirements in automation and control equipment. As noted above, data-privacy regulations will soon become the norm for most of the world’s population. In the summer of 2022, the New York Department of Financial Services – which covers much of the US financial sector – has proposed a series of additional cybersecurity requirements in their regulations. These include a mandatory 24-hour formal notification of cyber-ransom payments; an explanation, to be submitted within 30 days of such a payment, indicating why it was necessary; an annual independent cybersecurity audit; and heightened requirements around cybersecurity expertise on boards. Looking ahead, as new cyber-threats appear, new regulation will follow with the potential for an increase in the volume of related litigation and fines.
Rather than attacking a target company directly, hackers research the target company’s supplier network. They then look for the weakest link, which allows them to break into the rest of the chain
Nor are regulators the only external stakeholders showing increased interest. The UK government’s Cyber Essentials scheme is just one example of a purchaser requiring a certain level of security from its suppliers. Insurers will almost certainly become increasingly reluctant to underwrite those businesses unable to demonstrate a basic degree of cybersecurity.
Finally, although historically cybersecurity has not been an area on which companies have commented publicly, except when legally required to do so following a breach, now, investors are demanding transparency. Companies are increasingly expected to include this information in their non-financial reporting.
If the past is anything to go by, market capitalization will be at stake. The valuation implications of security breaches and, more generally, of cybersecurity are well documented. Announcement of such a breach, for example, is associated with a statistically significant drop in the value of stock, a phenomenon which has an outsized effect on financial services companies. On the positive side, excellence in cybersecurity can provide a competitive advantage and raise the market value of the company as a whole. Academic studies show a strong link between cybersecurity awareness and higher stock prices
Progress has been made in managing cyber-risk using a business-wide lens, but this remains far from universal. In 2021, for example, only 44% of companies had at least one identified person reporting to the board on cybersecurity. And just a third of companies (34%) provides management reports to the board on cybersecurity issues at least once a year. That said, while only a minority of businesses have taken these basic steps, the proportion is still much higher than in 2018, when the equivalent figures were just 26% and 18%, respectively.
As businesses begin to put in place structures to address cyber-risk, they will inevitably need to adapt them to their own corporate attributes and threat environment. Nevertheless, all businesses should consider a common set of points in their management of these issues.
To begin with, cybersecurity needs to be multi-tiered, with each level taking a holistic, company-wide approach. The first tier consists of senior professionals, not only from IT but from across the business. Such breadth of effort is essential. Until the whole company embraces the challenge collectively, effective, company-wide security cannot be achieved. Ideally, this should be coordinated through a multi-functional committee. More important is that every department actively supports cybersecurity in some way, aligning its activities with business needs. Here are a few examples:
In order to support this multi-tier cybersecurity strategy, companies need to begin with education and training. Modifying employee behavior is as critical to addressing cyber-risk as questions of governance or technology.
While better cyber-training is necessary across the company, two concerns are particularly pressing. A skills shortage in candidates for the position of CISO, or whoever has responsibility for managing cyber-risk, is one. Too often, the CISO has reached that position by dint of their effectiveness in managing other areas of IT and is still in need of specific training.
Digital transformation brings with it a range of opportunities. However, everything that is digital – including the vast array of sensors and artificial intelligence (AI) tools that companies now deploy – is a potential target
Boards may also lack the requisite skills. Although the proportion of online board biographies that mention cybersecurity experience is growing, most would still fail a cybersecurity exam. Nor are board members likely to be up to date with current cyber-risks. In EY’s Global Information Security Survey, for example, 86% of directors said that their board had not participated in a breach or ransomware simulation exercise in the last year. If audit committees, and indeed risk committees, are to do their jobs properly, they will need to understand cyber-risk thoroughly.
In addition to better training, companies require a shared, high-level understanding of what cybersecurity best practice looks like. Culture, training, governance, processes, as well as relevant software and hardware, must all be in place to prevent attacks. The creation and tracking of relevant key performance indicators are as necessary here as elsewhere in management.
Equally important is recognition that every business will, sooner or later, be the target of a cyberattack. Rather than harboring unreasonable expectations of impenetrable security, companies should take a practical approach, developing and regularly testing measures using simulations and cyber incident response plans. This ensures that everyone, from the board through customer-facing roles and communication to IT, is prepared to respond when an attack comes.
Cybersecurity arrangements that cover all these bases will minimize the impact of cyber-risks and, more importantly, provide the knowledge and understanding of the business implications of cyber-risk that are required of today’s executives.
To improve decision making, every stakeholder – both internal and external –needs to be given a voice, says Isabelle Deschamps, the mining group’s Chief Legal Officer, Governance and Corporate Affairs ...
Antoine de Saint-Affrique, in a frank and open discussion with IMD President Jean-François Manzoni, explains his no-nonsense approach to problem-solving, the importance of speaking the truth, however uncomfortable, and knowing when it’s...
Dinner parties seem less civil affairs than they once did, with guests being dismissive of opposing viewpoints. It’s symptomatic of a wider problem affecting discourse in all areas of society. So, what’s...
Scenario planning is more valuable than ever – but what is it and how can executives implement it effectively? Peter Schwartz, author of the highly influential book The Art of the Long...
You have 4 of 5 articles left to read.