When cyber security becomes a national responsibility
By Angel KuanInternationally, the corporate and government risks relating to cyber attacks have never had a higher, or more confusing, profile. It is becoming increasingly hard to pinpoint where and what attacks are coming.
To muddy the waters, and risks, state, company, and criminal parties all seem to be in on the act. From Snowden to North Korea, from hackers to leaks - data theft, the loss of confidential client details, and denial of service attacks are all in the news.
If evidence is required as to how the serious this is being taken by local officials, then one need look no further than the laudable decision by the Singapore government to create the National Cyber Security Centre.
Of particular note were the comments that Singapore is a highly networked government. This, of course, creates risks around one vulnerability having serious downstream effects on other systems and capabilities.
But it is also clear that these risks are just as relevant for private sector companies. Responsibility does not stop with the government. Singapore, as a nation, has gone down the high tech route and, as such, the exposure is shared.
Recent attacks on South Korean banks, reportedly by North Korean interests, show that businesses need to be aware and protected from a new type of threat that could come from, literally, anywhere.
Corporate Singapore should also be aware that there is an international trend of regulators clearly pushing responsibility for defending, and reporting, these attacks back into the boardroom.
For a number of reasons, cyber attacks are no longer just an IT department problem, and here are, perhaps, three risks businesses need to increasingly factor into their operations:
1. Go directly to jail...do not pass GO. Director and executive liability
Yes - thanks to the continued fallout from the GFC (and other major mishaps), the buck now increasingly stops with the directors and senior management. Negligence, and not taking cyber attacks seriously, now means a lot of trouble.
If you run a privately owned power company in the US, and the lights go out due to a cyber attack, the finger could very well be pointed at you.
2. Brand risk. What’s your brand worth?
Your shareholders and/or stakeholders might say quite a bit. If your product is reliant on infrastructure that can be taken down (think banking, gaming, trading, logistics, online retail...the list goes on) then what effect will a cyber attack have on your reputation.
Would YOU use a supplier who couldn't protect your private information? What is the cost of repairing a broken brand? If you run a family-owned business, what's your family name worth?
3. How’s your supply chain looking?
With greater interconnectedness comes greater supply chain risk. it may not be your systems at risk...but if your key supplier's system went down, this may very well become a 'joint' problem. Supplier due diligence in relation to cyber security might be more of a pressing issue than you think.
If cyber security is pushing its way to the top of the agenda, the boardrooms have to take note. And if boardrooms are having to prepare a response, the insurance industry has to provide solutions. The risks are understood - at their most basic levels, but supply chain and brand risk are relatively new concepts to the insurance industry.
But solutions do exist, and businesses in Singapore would be well advised to start a conversation with experts in this area to, at least, better understand what defences are available to protect from a cyber attack.