Why weak cyber governance is putting global businesses at risk

They were patient. It took up to four months from the time the first computer at a bank was infected with malware until the money vanished. Once they were inside the network, they tracked down administrators’ computers for video surveillance, so they could see and record everything that happened on the screens of those who serviced the money transfer systems and later mimic staff activity in order to transfer cash. By doing so, they could use online banking or international e-payment systems to transfer money from nearly 100 banks in 25 countries to their own accounts. Stolen money was deposited with banks in China and the U.S., and banks in other countries were used as receivers. All told, they made off with over $1 billion.

That this could happen is proof of the determination of cyber criminals and their knowledge of how to exploit global interconnectivity. That the bad guys, a criminal syndicate involving players from three different countries, collaborated across borders and committed thefts with disregard to them, is an indicator of how insufficient global and corporate cyber governance plays right into their hands.

“Right now the bad guys are winning,” says Luca Ravazzolo, Global Financial Institutions Lead, General Insurance Underwriting, Zurich Insurance Group (Zurich). “They can go where they want to go and do what they want to do, without fear of really being stopped, since for every organization that’s effectively stopping attacks, there are many others that are breached.”

A very real, globally interconnected risk

A recently released report from Zurich and ESADEgeo, a leading think tank on global governance, is titled “Global Cyber Governance: Preparing for New Business Risks,” and it lays bare the challenge facing the global business community. In short, the current state of cyber governance is woefully insufficient, and companies in almost all sectors are exposed to cyber threats, with the potential of enormous damage in terms of reputation and physical losses, liabilities and regulatory costs. Unchecked, growing cyber threats risk curtailing technical and economic development on a global scale.

“This is the reality that businesses face today,” says Ravazzolo. “There’s been a loud wakeup call over the past 12 months for whomever wants to hear it. The number of detected cyber security incidents has significantly gone up, and the average loss per incident has increased, too. Cyber risks are increasingly interconnected with other global risks, forcing businesses to operate in a much more complex landscape, because the cyber space is global, but cyber security frameworks are not.”

Organized crime is just the beginning of the problem for businesses. State and non-state actors have been implicated in a number of cyber attacks against businesses, though it is often difficult to identify the real actors. (It’s worth noting, too, the contradictory roles that some governments play as both cyber defenders and cyber attackers.)

The report recognizes that the necessary road to international cooperation is a long one. Geopolitical tension and ideological differences over governance approaches preclude, for the time being, strong and effective global governance institutions. The institutions that do exist are Western-centric: Only two global mechanisms are outside Europe and North America, and both of them are in Southeast Asia.

While the report recommends steps that policymakers should consider—including the creation of a G20 + 20 Cyber Stability Board along with steps to incubate it from geopolitical tension, the creation of a cyber version of the World Health Organization and the encouragement of public-private cooperation—it also encourages businesses to look to their own cyber governance.

Rethinking governance from the business perspective

Business leaders have a role to play in cyber governance in terms of building consensus, but the most immediate impact they can have is by focusing on governance in their own organizations. “To date, at most businesses the focus is on hardening cyber defense from a technology standpoint, and that’s important,” says Linda Conrad, Director of Strategic Business Risk, Zurich Global Corporate. “But corporate governance hasn’t been as big a part of the equation as it should be. In addition to the steps recommended in the report, an equally relevant part of cyber risk management is addressing the human behavioral element of it through good in-house governance around cyber connectivity that companies can start to do right away.”

While cyber policies and training might seem mundane to employees, they are critical, as the human element is generally the weakest link in cyber risk management. For example, one company that Conrad knows of was breached because hackers noticed that a group of employees ordered lunch online from the same restaurant several times a week. The hackers exploited this routine by accessing the company’s cyber infrastructure through the restaurant’s less secure setup.

“There are just so many ways in,” says Conrad. “In that particular case, good governance would have trained employees not to use corporate devices to contact third parties in that manner.”

Often businesses will simply hand responsibility for cyber security to their IT teams with instructions to build a better firewall, rather than looking at the responsibility of every employee on every desktop, laptop and mobile device. This convenient but ineffective practice has led some businesses to recognize the evolving need for the risk management structure to include someone to bridge the gap between the head of IT and the chief risk officer: an IT risk officer.

This type of position can operate throughout the various channels of an organization, such as in supply chain, which has unique cyber risk issues of its own—and not just related to cyber breaches. According to a Zurich-sponsored study with the Business Continuity Organization, 52 percent of supply chain failures were due to IT/communication outages in 2014, causing significant impact to global trade and corporate profitability.

“What this tells business leaders is that they have to broaden their definition of business interruption,” says Conrad. “Most cyber risk management has been built around data loss, but it’s important to have a more holistic knowledge of how other types of cyber events can disrupt your business, and what you need to do to prevent them, or quickly recover if they occur.”

The most visible, immediate and measureable impact of a cyber breach to a public company is how investors react. “Normally, after a major risk event, you’d look for the recovery of the stock price to start around 40 days later,” says Conrad. “If you don’t see it by then, it’s going to be a long recovery process. An organization would rather not have to bounce back at all, but if you’ve built resiliency into your business—if you have backup data sources, computing and suppliers, and advanced planning and active scenario testing in place—you could be back to business as you know it quicker than you might think.”

Key takeaways:

• Cyber criminals are taking advantage of interconnectivity and successfully finding creative ways into the digital infrastructure of businesses.
• Global governance of the cyber world is currently ineffective, but businesses can immediately focus on corporate cyber governance.
• Business leaders should broaden their definition of cyber business interruption to go beyond loss of data.
• Resiliency to interconnected cyber risks can be strengthened by building in backups to key elements of the business, and through advanced planning and scenario testing.

This article is published in collaboration with Zurich. Publication does not imply endorsement of views by the World Economic Forum.

To keep up with the Agenda subscribe to our weekly newsletter.

Author: Luca Ravazzolo is Global Head Financial Institutions and M&A at Zurich Insurance Company Ltd. Linda Conrad is the Director of Strategic Business Risk at Zurich Financial Services

Image: A man types on a computer keyboard. REUTERS/Kacper Pempel.