24 April 2017
Text: A | A

Data protection, privacy & security feed-image   

Cyber risk governance must take centre stage at companies

Business Times
21 Apr 2017

The digital revolution has heralded great benefits, but the scourge of cyber crime is growing apace. Cyber crime has been estimated to cost the global economy over US$450 billion a year. Last year, over two billion personal records were stolen. The Asia-Pacific, in particular, would seem to be acutely unprepared.

According to the Microsoft Malware Index 2016, of the top five countries most vulnerable to malware attacks, four are in the region - Pakistan, Indonesia, Bangladesh and Nepal. While Singapore may be some paces ahead - it is, after all, driving significant investments in cyber security - it is vulnerable as well. A 2016 survey of Singapore companies by PwC named cyber crime as the second most pervasive economic crime, after asset misappropriation. Cyber incidents have risen sharply: 43 per cent of respondents were hit in 2016 compared to 15 per cent in 2014. Direct losses reported by companies ranged between US$100,000 and US$1 million.

Shareholders lose as well. Just this year, CGI, an IT and business service provider, released a study on the link between cyber breaches and company value. It found that UK-listed companies that experience a severe cyber breach see their share value fall by an average of 1.8 per cent on a permanent basis. This means investors in a typical FTSE 100 firm are worse off by an average of �120 million (S$215 million). The analysis also suggests that the negative impact on share value is getting more severe. Already, both S&P and Moody's have warned that cyber risks could impact credit ratings. As the threat of cyber attacks rises, says Moody's, "the credit implications associated with cyber defence, detection, prevention and response should start to take a higher priority within our credit assessments and analysis".

To be sure, cyber insurance is among companies' first line of defence and demand is expected to surge. PwC has estimated that annual gross written premiums will rise from US$2.5 billion in 2015 to US$7.5 billion by the end of the decade. In Singapore, AIG expects penetration of cyber coverage to grow from 10 per cent to 40 per cent by 2020. But there are challenges, foremost of which is the dearth of data to enable insurers to adequately define and price cyber risks. Companies are typically reluctant to disclose breaches. An Asia-Pacific cyber impact report by Aon and the Ponemon Institute proffers some sobering insights. It finds that "information assets", which include customer and employee records, were under-insured. What's more, 38 per cent of respondents said that a material loss of information assets does not require disclosure.

Cyber security is an evolving landscape. A comprehensive defence strategy will need a collaborative effort between the public and private sectors. In this respect, Singapore has taken significant steps. Last year, for instance, a Cyber Risk Management Project was launched, a partnership between industry, government and academia to tackle demand and supply challenges in the cyber insurance marketplace. The Monetary Authority of Singapore is also working with the insurance industry and banks on cyber security. On companies' part, there needs to be a robust effort at governance of cyber risks, which should be part of board and senior management oversight. Companies may also have to brace for mandatory disclosure of cyber attacks and incidents, which may well be part of the widely anticipated Cybersecurity Act later this year. Such disclosures will help all parties to get a better measure of the growing risks.

Source: Business Times © Singapore Press Holdings Ltd. Permission required for reproduction.