A survey carried out by KPMG earlier this year revealed the true extent of the damage which can be done to an organisation by a cyber attack. This extends beyond the obvious areas such as loss of data or damage to systems, to potential loss of confidence on the part of investors and customers. This reputational damage could have potentially fatal consequences for many organisations and is one of the reasons why KPMG partner Michael Daughton says the issue needs to be moved much further up the corporate agenda.
The KMPG survey of global institutional investors found that 79 per cent of investors would be discouraged from investing in a business that has been hacked and that they believe less than half of the boards of the companies they currently invest in have adequate skills to manage cyber risk.
In addition, they believe that 43 per cent of board members do not have the skills and knowledge to manage innovation and risk in the digital world. This sentiment was mirrored by another recent KPMG survey, this time of boards and management of FTSE 350 businesses, which found that 39 per cent of respondents agreed they were severely lacking in their understanding of this area.
Daughton, who leads KPMG’s Risk Consulting team which advises clients on all aspects of governance, risk management, internal audit, IT assurance and regulatory compliance, explains that investors view data breaches as a threat to a company’s material value and are reluctant to invest in a business that has had its sensitive information compromised. “Following a number of high profile breaches, global investors are waking up to the issue of cyber security,” he says. “There is now an expectation from investors for businesses to increase their cyber capabilities from top to bottom, including the board.”
There is also a shift in the general view of the issue, according to Daughton. “The whole cyber-security area is now becoming much more high profile. It was historically seen as purely an IT issue but is now being viewed as a much broader business issue. Boards are also looking at it and this is a very welcome development.”
High profile attacks
This elevated importance has as much to do with the benefits brought by new technologies as it has with the difficulties it can create. “The internet has delivered enormous benefits to business and lots of people are using that to try to disrupt businesses. The pace of change in the technology and the proliferation in connected devices have all added to potential vulnerabilities and increased the level of cyber risk.”
Recent high-profile attacks on major global corporations have also pushed the issue up the agenda. “Cyber attacks can have significant consequences for companies,” Daughton points out. “They can lose financial assets, they can lose key data, and there can be a reputational impact. This is why we are seeing it being elevated right up to board level. We are also seeing more focus on the area from a regulatory perspective with regulators wanting to know how firms are dealing with the risks involved.”
The risks do not arise solely from malevolent hackers sitting in dark rooms attempting to wreak havoc for strange fund or other more nefarious purposes. “People often think of cyber attacks as arising from outsiders hacking in,” Daughton says. “But it is a much broader issue than that. It can be internal or external, data is stored on many different portable media and devices and security can be compromised either accidentally or intentionally.”
According to Daughton, there are a number of steps organisations can take to prepare for and mitigate these risks. The first relates to governance. “There needs to be a governance strategy around security and incident management – who is responsible for it and what are the reporting protocols? They also need to establish a firm-wide cyber risk management framework that has adequate scope for staffing and budget. After that the risks to be avoided, accept, mitigated, or transferred need to be identified and specific plans associated with each approach put in place.”
He argues that firms that take the right approach to dealing with cyber risks can gain a competitive advantage. “We are starting to see a change in this area. It was previously seen as risk mitigation but companies are now turning it to their advantage. If they get it right they can use it to improve the company’s standing with investors, regulators and customers. It is important for firms to be able to show customers that they are on top of this.”
Best in class
And those organisations which don’t get it right could soon face even greater problems. “There is probably going to be a requirement for public companies to disclose in their filings how they are managing risks in this area as well as any issues which they have had during the reporting period. Companies can use this as an opportunity to communicate the fact that their cyber risk management and mitigation strategies are best in class. That’s definitely the way we are seeing this going in the future.”
He accepts that there is no foolproof strategy, however. “With the pace of technological change and the increasing range of devices creating new points of attack all the time there is no guarantee that any strategy will be totally effective. At least if an organisation has the right processes in place they will know when they have been attacked and when data has been compromised and will be able to respond to that.
“Ultimately, all organisations can do is have the right governance, strategies and processes in place to ensure that they keep pace with the changes and are able to respond to attacks and deal with any security issues whenever they might arise. They also need to demonstrate to investors and customers that they are taking it seriously and this means boards elevating cyber risks higher up on the agenda and investing more time on it.”
