Among the thousands of reports and surveys to come out of the annual world economic summit in the Swiss ski resort of Davos, one of the most useful is the study of business risks in which executives rank what they consider to be the most pressing of their current concerns. Particularly significant this year was that cyber security grabbed number three position.
Today cyber attack is the existential threat to commerce. There is the threat to the integrity of a company and to its processes, which may need to be repaired and made good. There is the damage attacks can do to reputation; witness the problems of HSBC over tax avoidance. There is the risk of a loss of confidence from customers or suppliers who become reluctant to do business with or engage electronically with the firm. There is damage which is so severe it stops a firm from trading altogether.
All these are damaging, but there is something bigger still. There is also the open-ended threat of an attack on the financial infrastructure which is so severe it brings the system down. This is something which is a very real concern to the Bank of England. And then there is a vast amount of stuff in between where the system survives, but the costs run out of control. That is why insurance is so difficult to arrange; the scope and impact of cyber attacks are potentially so open ended. Marsh, one of the world’s biggest brokers, is on record as saying that the cost from a single attack could reach £20 billion.
Sony Entertainment CEO Michael Lynton faced the chaos of a politically-motivated cyber attack from North Korea in December 2014
Not for nothing did Stephen Catlin, one of London’s best-known insurance figures, say earlier this year that in his view the threat of cyber crime presented the biggest challenge the insurance industry had faced in his lifetime. He knows his firm and others like it are struggling to find answers. But while most can now offer some protection against narrowly defined risks, many clients feel what is on offer is nowhere near to meeting their needs.
Cyber attacks come from a variety of sources; it is not all about the money. There are conventional criminals of course, and extremely well organised ones at that, but there are also governments and their agents making mischief, evidenced by the North Korean attack on Sony Pictures over the release of a film making fun of its leader. There are organisations interested in commercial espionage, either a target company or its competitors, there are whistleblowers who believe some sensitive data should be put in the public domain and there are people without motive who hack into systems just to show they can.
The pressing question for board chairmen is how to assess the vulnerability of their own business and how then to manage the risk. What sort of governance do they need to put in place?
It is difficult because, while most boards are at ease in dealing with finance, they feel less comfortable with technology. It is important that the board is not overawed, however, because there is no qualitative difference in approach to risk control, be it in IT or any other area. Ultimately, at board level, it needs to be grounded in common sense and responds to the same line of questions. What are the crown jewels which the firm has to protect? Is the firm structured in a way which minimises its vulnerability? What are the threats and what systems are in place to deal with them? When were these systems last tested? What were the results? How often are the threats reviewed?
A decade or so ago banks spending on cyber security ran into the low millions of pounds. Now it is hundreds of millions
There are some experts who say this is not enough and that the only effective strategy is to assume at some point an attack will succeed. Working on this basis, the firm should ensure that once a hacker does get through, the damage they can do is limited, perhaps by having several different systems, rather than one big box, with tight security between the different silos. But that, of course, removes a lot of the advantage of centralisation and having all data in one place.
Unfortunately this is not cheap. A decade or so ago banks spending on cyber security ran into the low millions of pounds. Now it is hundreds of millions. The rest of the business world is about to set out on a similar journey.
