Having spent the better part of the last 16 years working in the Cyber & Digital Forensics space, and being continually surrounded by some jolly smart people, I thought I would condense some of my views, and those of people in the ‘know’ about some of the drivers that will affect business in the near future when thinking about Cyber.
I hope you find this interesting…
- RegTech… a snappy name for technology regulation
This originated in the financial sector where banking rules around things like anti-money laundering (AML) and know your customer (KYC) designed to prevent fraud, theft, loss and other illegalities have led to additional regulatory burdens on financial institutions.
In the Cyber security space, we have seen the rise of automation (security orchestration and automated response) for a while in threat detection and response. However, the regulatory burden is increasing for CISOs and audit teams too, so this is driving the same approach to controls monitoring, audit and assessment while dealing with the scarcity of security resources, i.e. using RegTech to automate assurance in the Cyber security framework that is in place. As threats increase and regulatory burdens (such as GDPR, Open banking and PSD2) continue to magnify the scale of risks, we predict continued adoption of RegTech solutions across all sectors. This will help to ease the audit burden by analysing and making decisions about the state of Cyber risk management, and in some cases launching workflows to resolve issues that have been identified.
- Privacy and security risks will become reputational rather than just technical or financial
There is no doubt that privacy and security breaches have financial impacts (just ask BA and Marriot).
This can include the monetary losses through fraud, costs of communicating to affected customers, credit/identity theft insurance, consultant’s fees to investigate the breach, the well-publicised regulatory fines, PR costs, legal fees as well as marketing costs to rebuild a damaged customer base.
The value of reputation is much more keenly felt by businesses as something that can be irrevocably damaged. This is not limited to security, it can be due to services shortcomings, environmental impacts, labour practices, paying taxes or boardroom tangles. ‘data custodianship’, or how responsibly and carefully people’s personal data is treated, this is increasingly a part of corporate social responsibility that cannot be ignored.
The rise of customer boycotts, social media and activism means that failures can be hard to recover from, and this trend for citizen power in the face of corporate failings will continue to be a factor in 2020.
- Acquisition/Merger due diligence will receive a boost
There have now been two big high-profile cases where Cyber security has been the centre of attention for mergers and acquisitions.
The first was the purchase of Yahoo by Verizon. Yahoo had a breach and Verizon found out about it (along with the rest of the world) before the transaction had completed. As a result, Verizon saved themselves £350m and Yahoo took a hit.
The second was Starwood who also had a breach. This time Marriot didn’t find out during due diligence prior to acquiring Starwood which cost them a fine of £100m from the UK Information Commissioner’s Office.
These two examples indicate there will be greater emphasis on Cyber security due diligence during these sorts of transactions. Three obvious angles for this are:
- Has the deal target already suffered a breach that constitutes unspecified financial liabilities? – Is there a smoking gun?
- How likely are they to have suffered a breach that has not yet been identified? – How good is their cyber hygiene?
- What risks do their systems pose to the acquirers when they are connected? – Is this a third party we would normally be happy to link up with?
I predict acquirers will have to increase investment in Cyber security as part of their value appraisal of potential targets to avoid incurring later costs (or fines) of hundreds of millions should they omit or miss something.
- Cyber insurance will evolve
In the US, Cyber insurance is buoyant and driven by mandated data breach notifications where costs and pay-outs have been easier to quantify than the fines and sanctions imposed by regulators in other countries.
For many businesses (and insurers) there are challenges. How big should premiums be for a given risk, how do we quantify risk (for the insured party and underwriter), what level of diligence and assessment is appropriate; questionnaires or some form of direct external or internal assessment?
For the market to grow further (especially outside the US) these types of questions will need to be answered.
We have seen signs that the use of technology and more actuarial approaches are starting to be adopted in the global Cyber insurance industry. Increasingly insurers will want to deploy “black box” type security measurement and telemetry solutions to monitor Cyber risks to keep premiums low (and make pay-outs less frequent), reduce the overhead of scrutiny and to better understand changing risks from cyber hygiene.
The view that Cyber insurance is a control that can be deployed in lieu of security investment, that you can save money on controls if you have good insurance, is being seen as the myth it is; underwriters do not underwrite ‘unknown’ exposure.
It is self-evident that for the market to function for both sides, there must be some level of control otherwise the premium will be prohibitively high. Spending on recognised controls can bean off-set against reduced premiums as well as losses and impacts that occur. Particularly as the cost of a loss is only incurred when it happens, but an insurance premium is paid every year irrespective; any reduction is a guaranteed saving rather than a potential one.
Businesses can either pay for insurance (a definite lower cost) or risk a loss (higher potential costs if it happens). Mandated Cyber insurance may change this overnight if a regulator, government or large supply chain decide it is appropriate.
- Audit rules will drive greater automation
The rules around corporate audits go beyond just the Cyber security remit; encompassing financial reporting and exchange filings, as the role of boards and the information provided to stakeholders, regulators and investors is improved.
We’ve seen the requirement to record and report Cyber security risks and breaches in reports and filings for some time. The Cyber security threat is firmly on boards’ agendas, and it is increasingly common for audit functions to look in detail at Cyber hygiene or risk exposure that businesses have as part of their internal or external audit programme.
There is an imperative to establish the status of controls and the level of trust in systems and to ensure that risks and breaches are accurately quantified and reported where they might lead to financial liabilities or costs.
As audit scopes grow to encompass Cyber security, the process of audit itself has been striving for improvements. The latest US Public Company Accounting Oversight Board (PCAOB) rules now require auditors to report not just on the level of assurance in controls, but also in the availability and timeliness of evidence and the amount of human interaction between the systems and the audit function.
This means identifying the risks that a control could fail and go unnoticed or, worse, could be concealed. The improvements aim to reduce the chance and scope for misstatement, either accidental or deliberate, through not having accurate control performance data.
Technology is being increasingly used to speed up audits, to make control measurement continuous and minimise human influence in data gathering and analysis to reduce the overhead and risk of interference. Gartner have invented a term; CARTA (Continuous adaptive risk and trust assessment). However, hot off the back of ‘Fintech’ the wider industry is using the term ‘RegTech’ for the wider compliance technology solution area.
- Skill shortages will continue
A year is too short a period to alleviate a skills shortage, such as in Cyber security.
It is a multi-year, longer-term challenge involving training, schools, academia, promotion and growth in professionalism for people moving into the sector from other related roles. Increasingly we are seeing a dynamic where the demand for skills is not just for security but for those who have a wider view across Cyber risk, and the areas elsewhere in the business to which it relates.
Multi-skilled individuals will be increasingly scarce, and it will become particularly evident in the short term as Cyber risk interfaces more directly with compliance, audit, marketing and other business functions. Expect to see demand for security teams that better understand the wider business risk landscape (as well as security risk management), for privacy and security managers that can shape their strategies in terms of marketing and reputational endeavours, for IT staff that can understand the point of view of audit (and vice versa) and for Cyber security operations teams that will understand and see audit as a beneficial arbiter, rather than an overhead.
- Supply chain risks continue to get focus
The risk posed by ‘supply chain’ upon Cyber security has never been in sharper focus. Numerous breaches have occurred resulting from lax third-party protection of data and the rise of regulations that enforce greater diligence (such as in GDPR), means this is a well-established problem.
The audit side of this has been maturing for a while, the SAS70 process for supplier audit and the SOC2/3 methodologies for auditing service providers continue to evolve. In parallel, various government run schemes or standards have been defined, like; FedRAMP (US), Cyber Essentials (UK) and Essential 8 (Australia), to allow agencies to gain more universal assurance from those that service them.
In the Defence sector, the US has been developing a Cybersecurity Maturity Model Certification (CMMC) approach for their defence supply base. Version 1.0 of the framework will be available in January 2020 and by June, defence suppliers should begin to see these requirements in RFIs. In 2020 we predict greater international efforts to unify this assurance process so that multinational suppliers have one common set of hoops to jump through rather than several separate ones.
To matter if you are a multi-billion corporation or an SME, all the above has some relevance; nevertheless, there will remain no shortage of Boards that wish to fly-blind, trust to luck or maliciously ignore the reality of Cyber threats. Who knows, they may be lucky. Either way, the truth is very few organisations have the specialist skills in-house to deal effectively with Cyber. Edge IT Group and similar specialist Cyber consultancies provide the expertise businesses need if they wish to stay Cyber safe… it’s not what you know, it’s who you know!
Co-founder & CEO, Edge IT Group