"Companies are under growing pressure from investors, customers and regulators seeking reassurance that cyber risks are being actively managed and that they have the capability to deal with the aftermath of an incident."
Stroz believes cyber trends - from hacktivist and insider threats to implications of potential cyber legislation in 2016 - will push corporate boards into reviewing their options to ensure they are better informed and comfortable making risk management decisions.
He explained: "Leading companies in high risk industries like financial services will appoint specialist, non-executive cyber directors. To further address the significance of such risks and get ahead of a potential corporate governance failure, organisations may also form dedicated cyber risk committees in the coming year,” he said. “Modelled on existing audit committees, the cyber equivalent will create a board-level focal point for cyber risk, with the support of independent advisers to help strengthen a business’ cyber resilience."
According to Stroz, while cybercrime knows no boundaries, certain industry sectors are at greater risk.
“Financial services, particularly banks, are highly attractive targets. UK regulatory bodies are already taking steps to move cyber resilience up the agenda, with Operation Resilient Shield the latest example of cooperation between the Bank of England and other UK and US financial authorities, to stress-test key institutions' responses to a simulated attack. As a greater understanding of the industry's preparedness emerges, we will likely see regulators push the concept of 'cyber competent' persons as a requirement for boards,” he said.
Looking forward to 2016, Stroz Friedberg highlighted other areas likely to be impacted by developments in cyber security:
• Cyber Insurance Premiums Skyrocket, Regulators Impose Carrier ‘Stress Tests’: Continued strong demand for cyber coverage will drive gross written premiums up in 2016, but constantly evolving threats, immature risk models, and an underdeveloped reinsurance market will also cause premiums to increase dramatically, particularly for retailers, healthcare providers, banks, and others considered high risk. Expect the uncertainty about concentration of exposure to lead regulators to impose cyber incident ‘stress testing’—modelling the impact of multiple, simultaneous incidents on cyber insurance carriers and, potentially, stopping those that fail these tests from writing new policies.
• Insider Threat Looms Large: Until now, the business world’s attention has been focused squarely on external threat actors. But in 2016, insider threats – current or ex-employees with knowledge of, and access to, the corporate network – will take centre stage, forcing human resources leaders into the growing cross-functional cyber security team. Expect leading edge companies to start proactively addressing the insider threat risk by investing in technologies that identify, and in some cases prevent, insider threats before they cause material damage.
• Internet of Things (IoT) Incidents Shift the Dialogue From Functionality to Security: Much like the 2014 spike in data breaches that propelled businesses to treat cyber security in earnest, 2016 will be the year of the consumer awakening. As a result of a major physical disruption—through the breach of a connected car, medical device, or weak security in a connected toy—regulators and consumers will demand action. Expect companies to spend untold amounts testing and retrofitting of IoT devices to meet hastily approved ‘privacy and security by design’ rules.
• Data Processing and Storage Goes Local: The recent demise of EU-US Safe Harbour will continue to disrupt international data flows, especially when combined with huge fines for trans-border transfers, political disputes over alternatives, distrust of U.S. government surveillance and subpoena power, and expanding European nationalism. Expect this uncertainty to drive some EU companies to avoid doing business with the US altogether, while other multinationals will opt to segregate business functions geographically by building local cloud services and data centres that protect them from penalties.
• Cyber Threats Influence the 2016 U.S. Election: During the U.S. elections in 2008 and 2012, threat actors targeted both presidential candidates’ websites and emails. Now that campaign websites are used to raise money, their desirability and profile as targets for hacktivists and cyber criminals alike, will increase. Expect to see U.S. primary frontrunners and eventual nominees from both parties successfully targeted, and at least one campaign undermined by a data breach. As the commercialisation of politics becomes ever more pervasive around the world, this targeting of political websites will expand globally, including to the UK.
|