“Greater cyber-dependency and the exponential rise in cyber-crime are inextricably linked.”
The sophistication and ability of cyber-criminals to successfully penetrate IT infrastructures is growing at a rapid pace. The Middle East’s financial institutions are increasingly being targeted and are not ready for the tidal wave of threats. There is cause for concern among Gulf Corporation Council (GCC) executives.
Cybersecurity is critical. You’re either ready, or you’re not. The alarm has been sounding for quite some time. It is no longer a question of if your organization may be subject to the risks of cyber-threats, but when. The paradigm has shifted, and the harsh realities of cybersecurity are no longer an emerging risk, they have emerged and are a business imperative. Things are only heading in one direction and, left undiagnosed and untreated; the prognosis is alarming. The assets and wealth of financial institutions in the Gulf Corporation Council (GCC) have been identified as prime targets for cyber-criminals. While this is a global issue, the Middle East’s response to combat the threat lags behind the rest of the world.
While asset managers in the GCC seek to grow assets under management, they are failing to attract assets from sophisticated and discerning institutional investors who have already woken to the seriousness of the cyber-threat. GCC institutional investors and investment managers need to protect themselves and their investors from the fallout of financial losses, confidential data compromise, unlimited reputational damage and disruption associated with successful cyber-attacks.
The statistics are not comforting. In a recent Marsh & McLennan Companies and Firefly survey of European institutions, 23% of respondents acknowledged they had been a victim of a successful cyber-attack in the last 12 months. Nearly two-thirds of survey respondents said cyber-risk is among their organization's top five risk management priorities; only 45% of respondents said they formally estimate the financial impact of a potential cyber event as part of risk management.
2017 was the most damaging year for cybersecurity; Wanna Cry ransomware and NotPetya’s “wiper” malware permanently changed the global cyber-landscape. NotPetya is said to be responsible for US$1 billion in economic losses. If not sufficiently alarming, August 2017 saw the loss of 150 million consumer credit customers’ personal records and wiped US$5 billion off market cap. Whichever way you look at it, the prognosis is worrying. Cyber-incidents, once considered extraordinary, have rapidly become commonplace.
The cost of cyber-crime to businesses over the next five years is expected to be US$8 trillion. In a world with 7.6 billion people, there were an estimated 8.4 billion internet-enabled devices in 2017. The figure is projected to grow to 20.4 billion by 2020. The world is experiencing the rise of cyber-dependency due to increasing digital interconnection of people, things and organizations. Greater cyber-dependency and the exponential rise in cyber-crime are inextricably linked.
In response, the World Economic Forum’s Global Risks Report 2018 upgraded the risk of cyberattacks and data fraud or theft to top five risks by likelihood. In 2017, cyber was not even a standalone risk in The Global Risk landscape rankings. Ernst & Young suggest cyber-risk has evolved as a standalone critical risk category to be viewed not only as a technology issue but as a pervasive business and operational risk with the potential for significant impact on assets, revenues, reputation, confidentiality, and profitability.
In an effort to bring greater investor and consumer protections, while increasing the cyber-standard expected of organizations, a new wave of sweeping regulation is emerging. The General Data Protection Regulation (“GDPR”) will be introduced in 2018 and imposes far-reaching obligations surrounding cyber-breach disclosure. Commentators suggest GDPR will “change the world as we know it” and, while GDPR is EU legislation, other leading global financial centres are rapidly adopting similar, sweeping cyber-laws. GDPR breaches and non-compliance are expected to result in billions of dollars of fines annually. Governments, regulators, supervisory boards, media, and consumers will scrutinize executives’ responses to newly disclosed cyber-incidents which have previously remained below the surface. Financial Institutions in the GCC should not wait for regional regulators to impose similar requirements.
Consider these five steps to managing inevitable cyber-threats:
1. Embed C-Suite Accountability
The stakes have changed for the C-Suite: cybersecurity has firmly taken its place on the corporate risk register and cyber-accountability rests with the Board. While the concepts of cybersecurity may be foreign for many executives and board members, protecting your organization against risk is not. Experienced executives understand their limitations and leverage resources to fill the gaps. Setting the tone from the top, Boards should implement formal data and cybersecurity policies with appropriate governance and cybersecurity awareness processes.
2. Understand the Threat
Undertake an expert assessment to understand the scope of the threat and your organization’s vulnerabilities. Understand the volume and criticality of unpatched software vulnerabilities within your organization’s IT environment.
3. Implement the Change
Strengthen your IT infrastructure by comprehensively tackling the vulnerabilities identified in the threat assessment. Further mitigate the risks of penetration by reducing your organization’s attack surface.
4. Educate your People
The role of human error in successful cyber-attacks should not be underestimated. Human behaviour lies at the core of security strategy. Creative and ongoing employee cyber-awareness and training programs should be implemented.
5. Monitor your Infrastructure
Establish a framework for continuous IT network monitoring, including responsibility for identifying and applying critical software patches, and escalation to the C-Suite. Re-assess the IT environment and emerging threats regularly to ensure ongoing appropriateness versus the changing landscape.
Failure to take the reality of cyber-threats seriously is reckless. By embedding C-Suite accountability, understanding the threat, implementing the change, educating your people, and continually monitoring your IT infrastructure, you will be taking important measures towards mitigating the countless cybersecurity risks we all now face.