Cyber crime ‘absolutely on the CRO agenda’

Awareness of cyber crime may be increasing across Asia, but risk managers must now work more closely with senior management on the issue, according Deloitte’s risk expert.

Speaking on a panel at the recent 3rd Regulatory Summit in Sydney, Australia, Deloitte partner, risk, James Nunn-Price said one of the challenges of cyber crime is that it is a multi-faceted problem.

“Cyber crime is actually owned by lots of different people in a business, whether it is IT, risk, fraud or security,” he said.

“Not everyone actually sees the bigger picture because traditionally cyber crime has been handled quite low down within organisations.”

All panellists agreed that this is starting to change, however, as cyber attacks become more common on organisations of all sizes.

Panellist Costel Ion, digital crime officer for Singapore at INTERPOL, said there were now 200 new cyber threats per minute.

“It affects citizens, businesses, governments and the more we rely on technology we’ll see in the future many, many attacks [and] many cyber traps,” he said.

“The problem is, and the real challenge is, how do you prepare for them? Can you predict who is going to attack you and why? It’s not the problem of when, it’s who, what to do, how to recover yourself, how to recover your information and assets.”

Nunn-Price said previously many chief risk officers (CROs) did not have the data to understand the potential severity of cyber crime. But an increased focus on the issue from governments, law enforcement agencies and industry regulators has raised awareness.

“Cyber crime is absolutely now on the CRO agenda and their job is to consolidate all of the analysis that has already been done [around cyber crime] to get the right risk management plan in place.”

Cyber crime transparency

Nunn-Price said there was a marked difference in how the US and Asia view transparency around cyber crime.

“In Asia, there’s been a lot of focus on securing the boundaries and securing assets. There has not been much investment on monitoring and responding,” he said.

“If you look at the US, a lot of the dollar investment has gone into monitoring systems for when hackers and criminals have got into the network and then actually being able to respond and manage that incident appropriately so that you minimise the damage.”

Such an approach is only starting to be discussed more broadly in Asia, Nunn-Price said, who also stressed there is a reputation risk component to being transparent about when a business has suffered a cyber attack.

“Consumers trust brands which are transparent. Over half of consumers do not use brands or products from companies they do not trust,” he said.

“When informed about a [cyber] breach, nearly three-quarters of consumers carried on doing business with that brand and using that product because they felt they’d been appropriately informed about a privacy breach or that the company had been hacked.”

Communication breakdown

Nunn-Price said another major challenge is the prominence and regularity of cyber crime filtering up a company to the senior management level.

“I have personally sat in a room with organisations and asked them, ‘have you had any [cyber] breaches, have you had any incidents?’ The chairman and CEO says, ‘none, no, we’re fine, it’s all perfect’,” he says.

“Then the risk manager will say, ‘well, actually just last week…’ and ‘by the way, last year we had a problem where…’, and then I proceeded to see these vicious debates in front of me between these two senior individuals in an organisation.”

Nunn-Price said the reality is there has been a failure in information sharing both in terms of organisations communicating about cyber breaches externally and internally.

“In many multinationals, banks for example, you have an insurance line, a retail bank, private banking, asset management, wealth management, and they are not sharing at an operational level a lot of the information around cyber crime.

“Therefore, at a senior level, you have false confidence and comfort that it is a risk which is under control. The reality is cyber crime is happening all the time.”

Nunn-Price adds that sometimes the cyber breach is on a small scale and goes unreported, as perhaps it is only worth $100 to an organisation, but the industrialisation of organised criminals means such amounts soon add up.

INTERPOL’s Ion said reporting all cyber breaches would be key to combating the problem.

He added that many companies had an over-reliance on technology and malware to stop cyber attacks.

“Nowadays we speak a lot about technology and also how technology can solve everything. We have very good antivirus and very good software packages but these can’t protect us,” he said.

Instead, Ion said a greater focus needed to be placed on the “human factor” of cyber crime and a more consolidated cyber awareness and educational programme.