What Cyber Risks Are Keeping The C-suite In Asia Up At Night?
OVERVIEW
From smartphones that respond to speech, to devices that connect with each other across the same room or around the world, technology once common in science fiction now exist in real life, in our hands, every day.
In Asia, businesses have invested heavily into digitalizing business functions – enabling companies to bring products and services to market much more quickly than ever before. Across all industries, technology also continues to automate systems, achieve efficiencies, and enhance connectivity. While these innovations reap benefits for companies and consumers, they also introduce new cyber risk exposures.
While cyber threats are unique to each organization, Aon’s 2019 Cyber Security Risk Report identified eight key risk areas that are pertinent to businesses globally – including Asia.
IN DEPTH
Technology: Opportunities Come with Risk
Centered on experience, expedience, and efficiency, the digital economy has transformed everything from shopping to transportation.
Across Asia, there are prominent players at the forefront of the digital economy – with Singapore leading the way at over 33 percent usage of mobility services. When it comes to revenue in this category, China generates $77.3 billion per year and is only second to the U.S.; while Japan is fourth with $17.2 billion.
Murray Wood, head of financial specialties, Commercial Risk Solutions, Asia, credits this rapid rise to the increasing consumer demand of technology-enabled experiences. Whether a new entrant like a car-hailing service or a traditional brick-and-mortar location increasingly going digital – today’s companies are transforming their traditional models to stay relevant. “As organizations embrace digital transformation, leaders should aim to understand the associated risks and plan to address them,” Wood says.
Supply Chain Exposure a Rising Threat in Asia
As supply chains become more global – and connected – all players in the chain can become more vulnerable. “Supply chain exposure is a constant concern for our clients, whether they are reliant on a complex network of providers or concerned about legal exposure to their corporate clients” says Matt Bartoldus, managing director and security advisory practice leader, Aon Cyber Solutions, Asia.
Wood adds, “The interconnectivity of supply chains is another factor driving senior leadership to identify vulnerabilities and recognize cyber risk as enterprise-wide risk.”
Internet of Things (IoT): Each Connected Device is a Risk-laden Device
A Cisco study projects that by 2022, there will be 13.1 billion connected devices in Asia Pacific – up from 8.6 billion in 2017. Each connected device comes with its own set of cyber security risks, and according to an Aon study conducted in collaboration with Ponemon Institute, 46 percent of companies globally suffered some form of cyber attack intended to disrupt business operations.
As more and more devices become part of the IoT, the threat moves throughout the organization. Wood stresses that if companies are only managing cyber exposure within IT, they are not well-placed to fully understand their exposures or manage a crisis. “Risk and legal teams, key business stakeholders and senior leaders must all be involved in the dialogue.”
Disruption to Business Operations is a Key Concern
While technology can increase a company’s efficiency, it can also open up an organization to the risk of business disruptions through malware, ransomware or other threats – as seen by WannaCry and NotPetya, which have impacted companies across industries and geographies.
Andrew Mahony, head of cyber solutions – risk, Aon Cyber Solutions, Asia, notes, “Business interruption and cyber threats regularly rank as the top risk concerns for companies in Asia. The proliferation of connected devices represents one of the intersections of these risks. Operational efficiencies have been realized but new security risks have emerged, including an organization’s ever-expanding attack surface and the ease with which attackers can move laterally within a network.”
Employees: The Major Cyber Threat Organizations Should Take Seriously
Data breaches can arise from outside and within an organization, and negligence can be as significant a threat as malice. “The front line of cybersecurity is an employee’s inbox,” Bartoldus says.
The motivation behind an attack can vary from commercial to geopolitical, or even personal. In 2018, the SingHealth data breach in Singapore demonstrated the danger that sophisticated external forces can pose. A subsequent data breach that arose in 2019 was due to a compromised individual within the Ministry of Health.
Mahony says, “Managing insider risk goes far beyond technical cybersecurity defensive measures. A comprehensive approach to governance, communication, and training of cybersecurity policies and access limitation is critical and these measures are viewed favorably by cyber insurers.”
Organizations should also consider conducting “bad leaver” investigations – forensic analyses of the digital footprint of high-risk and ex-employees – to gain comfort that sensitive data remains protected.
Cyber Due Diligence Critical in Mergers & Acquisitions (M&A)
When companies engage with other companies, either as acquisition targets or as service providers, they must be satisfied that their counterparts are cyber-resilient. Aon’s 2017 Asia Pacific & Japan Cyber Risk Transfer Comparison Report found that, on average, companies valued their intangible assets at 10 percent more than their physical assets. They also expect loss to intangible assets to outweigh physical assets by $200 million.
By performing cyber due diligence prior to completing a deal, the buyer can both minimize its exposure to risk and improve its commercial position. This provides a purchaser with the confidence to either move forward with a deal or, if not satisfied with the target company, to secure a lower price, demand that the seller incur the costs required to bring the target company’s cyber resilience to a reasonable standard or walk away from the deal.
“A strong deal can be undone by unforeseen cyber vulnerabilities within the target company’s systems,” Wood says. “By performing pre-deal cyber due diligence, the buyer can both minimize its exposure to risk and improve its commercial position.”
Regulations and the Cost of Not Meeting Them
The protection of consumer’s personal data has become an increasingly important imperative for businesses – with regulations such as the EU’s General Data Protection Regulation (GDPR) imposing a fine of up to 4 percent of annual revenue for the mishandling of consumer data. In Asia, a number of countries, such as Singapore, the Philippines, and India are moving towards mandatory notification regimes that follow the more stringent standards seen in the U.S. and Europe. In Singapore, any organization in breach of the Personal Data Protection Act (PDPA) can be fined up to S$1 million ($740,000).
As more Asian companies expand their operations overseas, they are also faced with the challenge of meeting the varied regulations in each market where they operate and hold customer data.
Increased Accountability Expected of Executives
There is increasing pressure to hold CEOs and other key decision-makers – including the board of directors – accountable for cyber security breaches, a view echoed by Mr. David Koh, chief executive of the Cyber Security Agency of Singapore (CSA). According to a 2018 survey by the BDO Center for Corporate Governance and Financial Reporting, nearly 75 percent of board directors globally say they are more involved with cyber security than they were a year ago.
However, while many boards make significant cyber security spending decisions after a cyber incident, cyber security often remains a capital expense and does not receive the adequate operating budget once the crisis has passed.
It Takes a Village to Raise Cyber Security
The success of cyber security policies and procedures is highly dependent on everyone in the organization playing their part – from individual employees, to risk managers, technical professionals, and especially, the C-suite and board.
“As digital transformation continues to reshape the business landscape in Asia, companies should strive to stay ahead of their cyber risk exposures by constantly and proactively seeking ways to protect themselves,” Wood concludes.