Q&A: Cybersecurity

Cybersecurity is increasingly an area of focus for clients and their gatekeepers. This has been driven by several factors including recent high profile attacks worldwide and evolving regulations in the space. Consequently, cybersecurity is now viewed as a core business risk rather than a purely technological one. In this article, Thierry Nardozi (Business Leader for Mercer Sentinel, Growth Markets) discusses Mercer Sentinel’s approach to cybersecurity as part of their overall due diligence process, recent regulations in this space and how organizations can manage cyber risks. 

How do you incorporate cybersecurity within the ODD process?

Cybersecurity is increasingly becoming an area of key focus for the clients as well as their consultants. Boards are starting to pay much greater attention to this due to the increasing regulations. Technology has always been a key part of our assessment at Mercer Sentinel. However, there is a growing awareness and recognition that cybersecurity has evolved from being an IT risk to a business risk.

With that, we now think about it at the overall firm governance level as well.  However, as a first step, we check if the company has a cybersecurity policy in place; how often is it reviewed, tested and updated? Then, does the IT infrastructure incorporate things like disabling USB devices, data encryption, remote-wiping capabilities, 2FA, penetration testing, phishing exercises, etc.? It’s also important to know whether the company provide employee training on this topic and how does the company view cybersecurity in relation to its use of third-party service providers. 

How does a company establish a cybersecurity policy? What are some of the key metrics to consider?

There are several aspects to this question. First, what are the legal and regulatory requirements with regard to cybersecurity policies and reporting of data breaches for the specific organization/industry/country? Second, does the industry mandate any sort of certification or standards, such as ISO 27001?

The third aspect would be organization-specific. This would require the organization to: (a) conduct a comprehensive enterprise-wide risk assessment, (b) understand the mitigating factors/measures it can put in place, (c) determine the areas requiring additional investment (technology infrastructure and or human capital and employee training), (d) put in place incident response policies and procedures to deal with a data breach in the event of a cyberattack, and (e) educate the board and senior management with regard to cybersecurity and the business risk it presents to the organization (instead of just being viewed as a technology risk). 

How have recent regulations across the various countries shaped their respective cybersecurity policies?

There are a host of new regulations being rolled out across the various markets. For instance, in 2017, the Australian Senate passed The Privacy Amendment “Notifiable Data Breaches” Bill 2016, which mandates that any organization that comes under the Privacy Act will be required to inform the Australian Information Commissioner and members of the public if their data has been compromised. During the 2015–16 period, the Office of the Australian Information Commissioner was voluntarily informed of 107 data breaches; the two entities with the greatest number of breaches were: the federal government and the financial services industry.

China plans to roll out its new Cybersecurity Law on June 1st. In this law (a first of its kind nationally), there are legal principles for data privacy, and financial penalties for data breach incidents are severe. Penalties for companies could be up to RMB1 million (approximately US$150,000) or ten times the illegal income, and penalties for individuals who are directly in-charge could be up to RMB100,000 (approximately US$15,000). The law also requires critical data to be stored physically in China; data can only be transferred out of China if a company receives government approval and it is deemed “truly necessary.”

In February 2017, New York State (USA) announced regulations for banks and insurers requiring them to meet minimum cybersecurity standards and report breaches to regulators. The regulations require financial services organizations to conduct reviews of third-party service providers. Additionally, the regulations mandate the following:

• A comprehensive cybersecurity policy that is reviewed annually by the organization’s board • A dedicated chief information security officer • Annual penetration testing and quarterly vulnerability assessments • Multifactor authentication • Incident response plans for cybersecurity breaches as well as notification to the regulators in the event of a cybersecurity breach that could materially impact the normal operations of the organization • Annual certification of compliance with the regulations by the board or a senior officer of the organization

In other countries such as Singapore has the Personal Data Protection Act (2014) that includes a penalty of S$800,000; a new Cybersecurity Act is to be enacted in 2017 to preemptively secure IT infrastructure and ensure reporting of incidents. As for Thailand and Indonesia both have draft bills being discussed. Malaysia has the Personal Data Protection Regulations (introduced in 2013 and came into effect in 2015) with penalties of up to US$70,000.

One impact of such legislation is that it brings the issue of cybersecurity to the focus of boards and also starts a culture of information-sharing, which, in turn, can lead to great discussion of cybersecurity and how best to counteract cyber threats and attacks.

What are the notable differences, if any, between developed and developing markets in terms of how organizations deal with cybersecurity related issues?

First and foremost, the likelihood of a cybersecurity breach is much higher in the APAC region relative to North America and Europe. A BBC article in 2016 noted that hackers were 80% more likely to attack Asian organizations. Second, the time taken to detect a breach tends to be 1.7 times longer in Asia than the global median according to the Cyber Risk in APAC report by the Asia Pacific Risk Center.

These are likely due to a variety of reasons such as less resources dedicated to this space (Asian companies spend 47% less on IT security than their North American peers) and a lack of training for the users (78% of the internet users in Asia had never received any form of cybersecurity training).

There is also a lack of transparency in reporting these breaches, which, in turn, means inadequate cybersecurity regulations and enforcements. Although regulations are changing, historically, there have not been any mandated reporting requirements with regard to data breaches. This lack of transparency has meant that organizations haven’t taken this risk very seriously until recently and have not put in place adequate measures to counteract the threat of cybersecurity breaches.

Another key differentiator between various regions is the prevalent use of insurance to shift the risk in the US (90% of the global insurance premiums came from the US; the rate of insurance take-up being 55% in the US, 36% and 30% respectively in the UK and Germany in 2016); this is primarily because the US has laws in place requiring mandatory disclosures of breaches. In contrast, the use of cyber insurance (both in terms of take-up rate and percentage of premiums) in the APAC region is minimal.

Recently we have witnessed a lot of phishing attacks, ransomware attacks – how can organizations deter these attacks and counter the threat of attacks from insiders?

· Phishing: Prevention is key. The best way to do so is through the use of technology and periodic testing and training provided to employees, who serve as the organization’s first line of defense in the event of a phishing attack.

· Ransomware: Given the extremely successful ransomware attack we just witnessed, it would be safe to assume we will see more such attacks in the future. Organizations will have to develop a comprehensive and personalized strategy to counter such threats.

· Insider attacks: The 2016 Cyber Security Intelligence Index conducted by IBM noted that insiders were responsible for 60% of all attacks. Although some of these were accidental (that is, inadvertent), nearly 75% of the attacks were deemed to be malicious. The same report also noted that industries with high levels of personal and intellectual data, large amounts of physical inventory and sizeable financial assets were the most likely targets; for example, healthcare, manufacturing and financial services.

These are the best ways to counteract such threats: Have a comprehensive policy in place that identifies the key risks and outlines the relevant mitigants in each case. Provide appropriate technological resources both in terms of infrastructure and human capital. Create a detailed playbook that clearly outlines the policies and procedures to be followed in the event of a cyberattack to quickly neutralize the threat and minimize the downside risk

Most organizations today are highly complex entities with large volumes of transactions and data and employees located across the globe. How can such complex organizations manage the ever evolving risk of cyberattacks? Organizations should assume that it is a matter of when rather than if their cyber defenses are breached and formulate an effective playbook accordingly. The playbook should clearly outline the incident response policies and procedures. Finally, the organization should ensure its employees are trained to effectively deal with the situation when it occurs.

Employees at any organization are the first line of defense in the event of a cyberattack. Investing in state-of-the-art technological infrastructure alone is not enough. Equally important is developing the human resources aspect of cybersecurity. It is therefore imperative to provide training to employees so they are aware of the risks and the best ways to reduce those risks. They should receive training on how to spot malicious intent and suspicious activities. This training should not just be limited to in-house employees but extend to third-party vendors and service providers.

For more information, please contact Thierry Nardozi: