Technology as a Risk: Cybercrime & Data Privacy
$81.3bn - the revenues lost to cyber attacks in the Asia-Pacific region in the 12 months to September 2015 out of a global total of $315bn International Business Report (IBR) Grant Thornton.
Over recent weeks, large-scale ATM heists have taken place in Japan, Taiwan, Malaysia, and Thailand. Couple that with SWIFT targeted attacks and other significant Cyber crimes reported in Bangladesh, the Philippines, Singapore, Taiwan, Thailand and Vietnam, it is no surprise that Board Directors, Governments and our Company Regulators in Asia are taking it seriously. Last week enforcement officials from across the region, met in Hong Kong to discuss how to tackle the growing cybercrime threat-scape.
As part of one's fiduciary responsibilities, Boards are responsible for shaping the company’s framework for accountability, control, and risk management. This means ensuring effective cyber-risk resilience and governance, data privacy and protection, compliance and reputation risk management and stakeholder engagement. These activities underpin the board's accountability and leadership and demonstrate efforts in building and protecting the company's reputational equity.
Severe erosion of a Company's shareholder value is common during reputational crises. During its recent crisis triggered by the sudden acceleration issue, Toyota’s stock price dropped by as much as 24%, wiping out about US$33 billion in shareholder value, close to the total market value of Time Warner. In its battle with the US government in the aftermath of the 2008–09 financial crisis, Goldman Sachs lost US$24 billion of its market capitalisation, a 26% drop in share price that exceeded the entire value of American Express. During the BP oil spill disaster in the Gulf of Mexico, BP’s stock was almost cut in half, the equivalent of about US$90 billion in shareholder value, more than the market value of Procter & Gamble.
In many instances, the drop in stock value is temporary, in other cases it is permanent. It always depends on how the companies handle the aftermath of crisis and commit to fixing the underlying business issues, rather than engaging in only Public Relations exercises. Toyota, for example, commenced a global quality improvement initiative that involved cultural and process changes at every level of the company. Sony executed a 3-year innovation focused turnaround and recovery program after a state attack on its networks. Today it leads globally as the #1 Tech Company in the 2016 Reputation Institute RepTrak study, a significant achievement given the central brand architecture of the firm that puts the entire Company at risk in the event of a reputational risk failure.
According to John Carlin, assistant attorney general at the Justice Department for national security, "the (Sony) ordeal was seen as a wake-up call to boardrooms and corner offices around the country" and "did more to raise national security cyber-awareness than any other single event."
Only one month ago, Yahoo came clean about its data breach, the largest of its size in corporate history. It resulted in a $1B discount from Verizon on its acquisition price and a further $1B to be set aside in capital reserves for fines. Significant given the revenues of just over $4.9B. This was in stark contrast to the lack of significant financial materiality for other corporations such as Sony, Home Depot, and Target.
With the new Global Data Privacy Regulations coming into force in 2018, accountability for both the controllers and processors of personal data are set to be enforced with stiff penalties. Current numbers being discussed by the Regulators are 40,000 euros fine for the loss of every 1 record. That would be a sizeable penalty if we consider the # records lost by the following companies.
See also my last post referencing the new paper exploring the materiality of cyber disclosure from Professor Gilles Hilary et al, 2016 of Georgetown: Cyber risk disclosure - who cares?
In Asia, Grant Thornton reports that a successful cyber attack will have a significant impact on the organization with an estimated cost of around 1.2% of business revenues.
These events and others have made Boards all too conscious of both the related operational risks, strategic risks and reputational risks that can have a potential to impact the company's P&L. This is coupled with their own unlimited personal liability in a limited liability entity. In the event of gross misconduct or negligence, it is reported now that many D&O insurers simply refuse cover to Directors, leaving them exposed to large scale class action lawsuits from upset investors and as we saw in the Sony case, upset employees.
Reputation risk is defined as the risk of a negative P&L event caused by adverse reactions of stakeholders that will impact stakeholders perception of a company and their behaviour. It can also be triggered by a primary risk or a reputational failure.
FireEye Technologies reports that this challenge is made even worse by the fact that hackers can be lurking in the system before discovery up to 520 days in Asia, against a global industry average of only 146 days.
Cyberattacks increasingly threaten the very reputation of a firm. But unfortunately, reputation risk management programs are largely immature. Each organization has its own interpretation of Basel III, and every financial institution has a bespoke approach. In a stark industry context of needing to rapidly reengineer for efficiencies, this is a challenge that we should be able to address together.
In addition, cyber resilience, and cyber governance are all often pushed to the wayside, with an overload of "200 financial services industry regulatory updates a day worldwide and over 25% of them in Asia". In fact, Sanjeev Chatrath, Thomson Reuters Managing Director and Regional Head of Asia Finance and Risk, estimates that this volume averages to 1 regulatory update for the industry every 10 minutes. This is even more alarming when the average time spent each week by Compliance executives on regulatory updates was reported as only 1 hour (Thomson Reuters, the Cost of Compliance).
In the afternoon panel discussion I was joined by my colleagues: Moderator: James Mirfin, Managing Director, North Asia, Thomson Reuters; my former TruSecure (Cybertrust) colleague, Jeremy Pizzala, Partner, Financial Services, Cyber Security, EY; Dicky Wong, from Hong Kong Police; and Shih Hsien Lim, Head, Information Security, Hong Kong Jockey Club.
The following 5 questions were answered:
- Are organizations structured to effectively deal with cyber crime? Where will cyber crime prevention responsibilities lie in the future?
- How should we be educating the board on cyber crime risks and is it getting on top of their agenda?
- How prepared are banks to deal with cyber crime threats in reality?
- Are data privacy laws clear? What challenges does cloud technology add to the mix?
- What can be done to minimize the risk of data breaches as a result of human error?
Reuters provided an excellent summary of the highlights of the event here: https://www.hk-lawyer.org/content/firms-should-always-assume-they-have-been-hacked-hk-police-says
One of the highlights was the Risky Women's Breakfast where we enjoyed breakfast with the Regulators. Joined by Meena Datwani, Executive Director (Enforcement & AML), Hong Kong Monetary Authority, and Bénédicte Nolens, Head of Risk & Strategy, Hong Kong Securities & Futures Commission, they shared their views on the opportunities and challenges of the current regulatory environment. Connecting with like-minded professionals, we engaged in lively discussion and debate and shared our diverse views and mutual challenges over breakfast.
---
About Risky Women
Founded by Thomson Reuters, Chief Risky Woman, Kimberly Cole, The Risky Women Breakfast Series is a unique forum for thought leadership, networking and industry influence which aims to connect, celebrate and champion female leaders in the governance, risk, and compliance fields.
About Thomson Reuters Pan Asia Regulatory Summit 2016
Entering its 7th year, the summit is well established as the key regulatory event across Asia. It is the leading forum for the governance, risk and compliance community and will attract over 550 senior individuals from regulators, financial institutions and corporations.
The summit's extensive two-day program features exclusive keynote presentations from local and global regulators, expert panel discussions and intimate interviews. The agenda covers global regulatory challenges, provide practical advice for institutions and prepare you for future developments in technology and regulation by asking questions such as:
- What impact will global political and regulatory uncertainties have on Asia?
- How can I protect my organization from new avenues of money laundering?
- Is RegTech the answer to my compliance challenges?
You can also check out one of the incredible speakers heard today at #TRRegSummits from Bill Majcher, who shares his insights at the FCC on "How money laundering is done in Hong Kong".