By Rory Macfarlane, Partner, Ince & Co Hong Kong
“Nothing is certain but death, taxes and cyber-attack”
Had Benjamin Franklin been alive today he would have probably added ‘cyber-attack’ to his list of life’s certainties. It is no longer a question of ‘if’ your business will face a cyber-attack; but a question of ‘when’. With 60 percent of companies that suffer a successful cyber-breach going out of business within six months1 this issue is no longer one that a prudent board can ignore.
Cyber-attack now sits at the top of most tables depicting business risk2. As with any form of crime, the perpetrators are looking for the easy victim; the low hanging fruit. Ensuring that your business is better protected than your competitors is a significant step in the right direction.
It seems likely that when we reflect on 2017 in years to come it will be viewed as the year in which cyber-attacks, and the complementary issue of cybersecurity, reached the wider public consciousness for the first time. This is particularly true in the shipping, transport and logistics industries where the impact has been acute. But the lessons to be learned, and the warnings such incidents give, apply to all businesses across every market or sector.
Consider the recent ‘not-Petya’ cryptoware or ‘data wiper’ attack. It drew headlines around the world, notably within the global transportation sector, for temporarily shutting down parts of the leading Danish shipping company Maersk Line. That the attack did not impact Maersk’s ability to physically load and transport containers, but instead targeted data-driven processes such as obtaining customs and port clearance, did not prevent it causing considerable operational difficulties for Maersk. This in turn led to significant disruption at key ports around the world.
That high-profile attack, coming so soon after the ‘WannaCry’ ransomware incident earlier this year, provided yet another reminder of just how damaging cyberattacks can be. No organisation or business sector is immune. One-third of the UK’s National Health Service was affected by Wannacry, and the victims of not-Petya ranged from the radiation monitoring system at Chernobyl, to a European pharmaceutical company and a global advertising agency.
The attack threat — popular perception vs reality.
Every company will have its own vision of what a catastrophic cyberattack could look like for it. However, the popular imagination tends to lean towards Hollywood-inspired images, perhaps of an oil rig or a ship being remotely ‘taken over’ by nefarious forces, to devastating effect. However, the reality for most organisations is very different.
That is not to say that a vessel, a vehicle, an industrial facility or any equipment that has internet connectivity and digital operating systems couldn’t be ‘hijacked’ remotely; they have been. Future cyber-attacks certainly do have the potential to be deleterious to the physical assets of an organisation, to the safety of the people working on, or in, them and to the wider environment. Each sector must address the unique c\hallenges that its’ physical infrastructure poses. For the shipping industry, there is rightly a lot of attention right now on the vulnerabilities that arise from increasing levels of on-board digitalisation, automation and ship to shore connectivity.
But neither the shipping industry, nor any other business sector, should be lulled into the complacency of believing that it is only physical assets that are attractive to cyber-criminals or cyber-terrorists. Your data, and your money are the primary targets. Most cyber-attacks will focus on the operations that are not outwardly visible, but that can be no less damaging, commercially, financially and reputationally. These attacks can take many different forms and are more likely to be indiscriminate than targeted.
Cost of a successful breach
In an increasingly digitised world, cyber-breaches can have far-reaching consequences and costs. Individual losses from a single event can be huge. Last year’s now infamous hack of the Bank of Bangladesh systems resulted in a US$81 million loss from a single event3. One estimate suggests that the annual global cost of cybercrime is forecast to rise to US$2.1 trillion by 20194.
Despite these of risks, many companies still remain unaware and unprepared for the consequences of a cyber-breach of their operations. Both not-Petya and WannaCry provide examples of how damaging and costly an attack can be. Indeed, Maersk has recently said that it is “too early” to fully ascertain what their losses might be from the not-Petya attack5. Second- and third-quarter financials will reveal the true cost of what was — at its origination — a relatively small cybersecurity breach.
According to a Bloomberg report, the attackers behind the Wannacry ransomware and the not-Petya data wipe earned just US$160,000 in bitcoin6. However, to quantify the impact of ransomware and phishing attacks solely in terms of ransoms paid or monies mis-appropriated is a mistake. The losses in terms of business interruption, rectification and market reputation can run to many millions of dollars. When the additional costs from lost sales and remedial action are factored in, it is estimated that the Wannacry and not-Petya cyber-attacks will have resulted in hundreds of millions of dollars of revenue foregone by the affected businesses7.
The impact on individual affected companies is similarly staggered. A large European skincare product manufacturer claims to have lost over US$41 million in sales in the first half of 2017, which does not include the cost of held inventory and halted production in its 17 plants. The company’s HQ in Hamburg, as well as computers from over 160 offices around the world, were infected. Similarly, 2,000 servers and 15,000 laptops were attacked at a UK-based consumer goods company, resulting in lost sales of US$118 million, with manufacturing capacity severely affected.
Has the boardroom been too slow to react?
The best form of defence is a proactive approach to minimising cyber-risk. It is increasingly becoming clear that security protocols and a cyber-response plan are not optional ‘nice to have’ extras, but something that should be considered and addressed at the very highest level within every organisation. That in many cases this is still not happening is confounding.
One reason might be traced back to the unfounded hype surrounding the last big IT scare, namely the Millennium Bug or Y2K panic. This was the feared computer bug relating to the formatting and storage of calendar data. It arose because 20th century computer software only recoded dates in four digits, with the last two representing the year. The fear was that on the turn of the millennium computers would not be able to differentiate between the year 2000 and 1900. The media was awash with predictions of planes falling from the skies, life savings disappearing and millions being wiped off the stock markets. None of this ever happened. It was the bug that did not bite. The tens of thousands of dollars that companies spent on contingency plans and safety nets was wasted. However, its legacy may be that many executives view cyber-crime risk in a similar light and are accordingly hesitant to invest in protection. That would be a mistake. While the Millennium Bug may have been a fiction, cyber-crime is not. Directors who ignore the need for appropriate cybersecurity systems are not just exposing their businesses to risk, but could themselves face personal sanction for breach of the fiduciary duty they owe to their companies.
Protecting your business
For those working within cybersecurity, these recent high-profile attacks came as little surprise. But might they be the tip of the iceberg? There have been over 70 different ransomware attacks in the four months since Wannacry although these have been largely ignored by the mainstream media. Some estimates already place the global number of victims of cyber-crime as high as 300 million per year8 but the reputational damage for companies could have an even bigger, hidden cost. A pristine track record for service, reliability and regulatory compliance could be irreparably damaged in the event of a severe, public breach.
While the costs of this type of damage are hard to quantify, they add yet another reason to an already lengthy list of good reasons to invest in appropriate cybersecurity systems and employee protocols. The importance of this latter step, employee protocols, cannot be emphasised enough. To some it may seem counter-intuitive to focus on staff when implementing defences to cyber-attack; but it isn’t. In more than half of the successful cyber-attacks the source of the breach can be traced back to an ‘insider’ — someone who works for the company. Sometimes it is a disgruntled ex-employee with an axe to grind. But more often it is the innocent, unintentional act of a loyal employee unfamiliar with the technological or social-engineering tricks employed by cyber-criminals.
With regulators generally currently encouraging self-initiative on the part of companies rather than imposing punitive fines for non-compliance, the onus is on each business to develop its own contingency plans. What constitutes an appropriate plan will vary from business to business, depending on how it uses and stores its data. Every organisation also needs to be alert to the regulations governing data protection and cybersecurity in their jurisdiction.
Improving your cyber protection need not be costly. Significant improvements can be made for a modest investment. Moreover, in some jurisdictions, for example Hong Kong9, funding is available to assist companies in meeting the cost of improving their protection.
Steps should be taken to ascertain if existing insurance coverage extends to cyber breach losses. Although insurance provides a financial safety-net, it is no substitute for good cybersecurity practice. Whilst the added assurance of assistance in the event of a breach is a comforting element of any contingency plan, responding to a cyber breach can be costly. Most organisations do not have the funds immediately available to mount an effective response to a cyber-breach, even if they do have an appropriate response plan in place. There are insurance products available in the market which provide access to funds for this very purpose.
Ince & Co is working with the leading cybersecurity team at Navigant to help companies address their businesses cybersecurity needs through a cyber health-check. This product can be tailored to meet specific needs. It usually covers a technical review of the IT systems, an evaluation of relevant protocols, contracts and policies, a summary of applicable regulatory obligations and an analysis of insurance cover. The health-check is intended primarily to be used to minimise the chances of a breach occurring. However, it also has a role to play as part of the response to a successful attack in order to plug holes, revise protocols, ensure a system is not still compromised and provide a list of ‘lessons learned’ to the board for future strategic planning. With it now being commonplace for cyber-criminals to remain in a system for up to six months after an initial breach before striking, it may be that your business is already more at risk than
Prevention is always better than cure. A pro-active, top-down culture of cybersecurity is absolutely essential if your business is serious about mitigating the threat of cyber-crime. But the lead must come from the board; it cannot be left to the IT team. To be effective it is something that must be imbedded into the culture of a business. Whilst applying software patches is crucial, it is not enough on its own. As global businesses across every sector of our economy embrace the benefits of the cyber-age and digitalisation in all its forms, it is only prudent to ensure that we also manage the risks.
Tel: 852 25877 3221
Fax: 852 2877 2633