Why Cybercrime is a Treasury Issue
This is despite the fact that over the years organisations have learned to guard against traditional hacker groups that compromise poorly-secured assets to draw attention to their causes, as well as commercial cybercrime syndicates that actively deploy hacking as a business model. Coping with these established known threats has been a challenging journey for many.
Today, cybersecurity threats have become even more multifarious and sophisticated. Above and beyond traditional attacks, organisations now have to deal with insider threats where disgruntled employees expose sensitive intellectual property or information, with the aim of causing embarrassment to the organisation. Traditional threat actors have evolved to become well-funded, patient and highly-skilled entities, which engage in elaborate long-term campaigns to siphon money – or gain illicit competitive advantages – through the theft of intellectual property.
Whether globally or locally, the public, company shareholders and customers have been baffled at the extent of security breaches that have resulted in shaken confidence, blemished reputations and in some cases, revenue losses. It has been estimated that malicious cyberactivities cost global economies upwards of US$300bn per year, based on 2013 statistics from the Center for Strategic and International Studies (CSIS).
Assessing the Threat
Given the potential impact of cybercrime on the organisation, it would be remiss for finance professionals and treasury executives to disregard the risks that cybercrime poses to the company’s bottom line.
Increasingly, traditional bastions of the corporate treasury function – namely the financial risk management, corporate governance and stakeholder relationship committees – are seeking to understand, calculate and communicate the organisation’s resilience to cyberattacks and the protection of its information assets and customer data. Many organisations, however, face difficulties in rationalising the scope and extent of the cyberattack threat and, in many cases, lack a unified approach in mitigating it.
Organisations need to utilise a proactive threat conversion model in conjunction with a due diligence approach, to expose the most serious potential cyber breach scenarios and risks associated with a particular line of business.
This ‘outside-in’ approach can then be combined with relevant technology, people or process controls to understand the extent to which the line of business is protected against (or exposed to) the cyberbreach scenarios identified. This can also be used with a plan to proactively monitor the cyberthreat actors identified and cyberthreat activities against the company’s key assets.
Considering cyber risk as an equal contributor to the organisation’s key risk indicators, together with business, financial and market risk led by the treasury function, will enable company stakeholders to better understand potential cybereconomic risks, make better business decisions to counter potential threats, and drive and protect shareholder value.
It is expected that cyber risks will only become more complex. New threats are continually emerging; being proactive in defence and fully prepared to recover in the event of a breach is fundamental to business continuity and sustainability. It is only with deep understanding of how cyber risk affects the business and vice-versa that the impact and power of cybercrimes can be diminished in today’s environment, where cyber fortresses no longer exist.