StrategicRISK Hong Kong Risk Clinic discussed the new cyber and people risk challenges that firms in the region are facing

StrategicRISK Hong Kong Risk Clinic1

Firms based in Hong Kong are more than twice as likely to have suffered a targeted cyber attack compared to their global counterparts, delegates heard at the StrategicRISK Hong Kong Risk Clinic.

Research presented by FireEye at the event found that 60% of Hong Kong businesses had suffered a targeted malware attack in the six months to December 2014 compared to a global average of 27%, and that attacks on Asian firms had increased by 40% in six months. The Asia Pacific region as a whole was also above the global average, with 37% of firms having being hit by a targeted cyber attack. 

The Hong Kong Risk Clinic, held on 4 June in association with AIG and Swiss Re Corporate Solutions, brought together risk managers to discuss some of the key challenges firms in the region are facing when it comes to cyber risk and people risk.

FireEye AsiaPacific chief technology officer Bryce Boland said attackers were becoming increasingly sophisticated at finding their way through a firm’s malware.

Boland conducted a live hack at the event, where he demonstrated how easy it was to get into a company’s computer system and retrieve commercially sensitive information.

During a panel discussion on cyber risks delegates heard that Asian firms were perceived as more vulnerable to cyber attacks due to a more relaxed regulatory environment.

In the US, for example, data protection laws have been tightened, forcing firms to strengthen their privacy controls. Europe is also set to follow suit.

But in Asia the legal ramifications of a data breach are not as severe, which makes them an easier target.

Insurers at the event said their clients’ biggest concerns around cyber breaches were related to the potential reputational damage but that insurance cover should only form part of a firm’s risk management solution. Crisis management, public relations and legal assistance should also be on hand to step in should a data breach occur.

Delegates at the event were also quick to point out that technology and malware could only go so far to protect a firm from a cyber breach and that having the right people and processes in place was just as important.

Indeed, it was suggested that employees can often be the weakest link in a company’s cyber risk mitigation effort.

People risk

The second half of the StrategicRISK Hong Kong Risk Clinic focused on people risk.

Traditionally this area of risk has been the responsibility of a firm’s human resources department, but panellists agreed that risk managers were becoming increasingly involved in this area of strategic decision-making.

There are opportunities to better use already available employee data to assess a company’s exposures and look at staff engagement and productivity.

But delegates said it was inherently difficult to have a complete view of a company’s people risks. This is due to the definition and measurement of people risk differing between a risk manager, a human resources manager and other business leaders within a firm.

All panellists agreed, however, that one of the key people risks for Asian firms in particular was attracting and retaining employees.

Employee benefits, incentives and rewards were said to be particularly important in markets where competition for talent is tight, as is creating a happy and healthy culture.

“Having an overall wellness programme within a firm definitely provides benefits in keeping and attracting staff,” one panellist said.

Regular health exams, easy access to medical care and programmes that encourage healthy lifestyles were all cited as ways a firm could proactively mitigate their people risk.

“If an employee is healthier they’re less likely to suffer an injury,” the panellist added.

Significant people risks also arise when a firm operates in different regions. This becomes particularly apparent during M&A activity, delegates heard.

“You can always figure out what is the right way to come to a [takeover] deal tactically and logistically. But if your culture doesn’t align then it’s going to be very difficult. So making sure the two firms’ values align is the most important thing to our business when considering a deal.”