Boards need to emphasise the importance of Cyber Security to their organisation as cyber crime in Ireland has more than doubled since 2012
Cyber crime is becoming more prevalent as businesses continue to grow and change in the digital age writes Pat Moran. He says financial services company boards need to continuously challenge management on its plans to combat cyber threats so that shortcomings in governing this evolving risk can be tackled.
More than one in three Irish organisations experienced economic crime in the last two years, up from a quarter two years ago. Nearly half of these incidents were cybercrimes (44%). This is according to PwC’s 2016 Economic Crime Study, a study which is carried out every two years including over 6,000 participants in 115 countries including over 100 in Ireland.
Pat Moran
Pat Moran

Cyber security is a key issue for investors, consumers, regulators and employees in financial services all the way up to the board of directors. With major breaches hitting the headlines, stakeholders wonder what potential attacks lie ahead.

Key business executives have started to become more involved in a wider range of cyber defense activities, including the Board of Directors, although there is still a long road to travel on this journey.

Cybercrime is on the increase
Nearly half (44%) of all organisations in Ireland who reported economic crime suffered a cyber attack in the last two years. This has almost doubled since 2012 and is substantially higher than the global results. Of those affected by cybercrime in Ireland, nearly one in five incurred losses of between €92k and €4.6m.

A cyber crisis can be one of the most challenging and complicated that any organisation will face. They require strategies around investigation and communication, as well as significant forensic and analytical capabilities. In today’s risk landscape, a company’s degree of readiness to handle a cyber crisis can be a marker of competitive advantage and ultimately ensure its survival.

Less than half of respondents said that they had fully trained first response team to mobilise should a technology breach occur. Too many Irish organisations are leaving first response to their IT teams without adequate intervention or support from other key players. Only 39% of respondents reported having a fully operational incident response plan in place with over a quarter having no plan in operation.

Cybercrime is also perceived to be the highest economic crime risk going forward for Irish businesses. Looking to the future, cybercrime is forecasted to be the most frequent type of economic crime. Over a third expect more cyber attacks in the future. This may be reflective of cybercrime having a higher profile in the media through the occurrence of a number of high profile incidents as well as the significant increase of devices that are now connected to the internet. Despite significant financial losses being linked to cybercrime, respondents cited the theft or loss of personal identity information and reputational damage as having the greatest impact to their organisations ahead of actual financial loss.

Boards are not paying enough attention
Boards are not paying enough attention to cyber-readiness. Less than half (41%) of Irish Board members are requesting information on the cyber-readiness of their organisation within a given year.

The Irish Financial Regulator is also focusing their attention on this critical area through questionnaires, assurance reports and direct inspections. Boards and Non-Executive Directors are also being asked to demonstrate their commitment to cyber governance.
Boards now need to raise some key questions to evaluate their cyber readiness:

Q: Does management have a cybersecurity strategy that links to business priorities and objectives?

Q: Does management sufficiently oversee, monitor and report on cybersecurity governance?

Q: Has management defined and located the most valuable assets 'Crown Jewels' that could be threatened by a cybersecurity attack (e.g. critical data and IT and operational technology systems)?

Q: Does management have adequate technical and process controls in place for the company?

Game of Threats
As incidents multiply in frequency and cost, cybersecurity programmes within financial services businesses in Ireland require to be strengthened to rival the persistence and technological prowess of sophisticated cyber adversaries. In defending against cyber-attacks, people can become either your strongest or weakest link. Having the appropriate level of knowledge of what a cyber threat looks like, knowing what to do when an incident occurs and dealing with it efficiently are all key elements of a cyber security strategy. Raising the awareness amongst senior people outside of IT is a game-changer.

A solution developed by PwC to help organisations be prepared for a cyber threat is Game of Threats. This is a head-to-head digital game that simulates the speed and complexity of real-world cyber breaches to help businesses better understand how to resource and protect companies against cyber attacks. Using game theory, the highly interactive simulation replicates real-world challenges faced by companies on a daily basis. Users will learn about different threats, identify reputational, operational, financial and regulatory impacts as well as understand what can be done to prevent an attack. Business leaders are coached through realistic scenarios with different types of threat actors and their preferred methodologies and explain what they can do to better prevent, detect and respond to an attack.

In summary, cyber crime is becoming more prevalent as businesses continue to grow and change in this digital age. Business leaders are struggling to govern these risks. Continually asking the right questions of management and raising awareness of the evolving threats, will support business in its fight against cyber crime.
Pat Moran is Cyber Leader at PwC.
This article appeared in the July 2016 edition.