By Jessica Tasman-Jones
This article is brought to you by Agenda, an FT Specialist publication that focuses on corporate boards
Cyber incidents – including system outages and ransomware attacks – are the biggest risk for companies in 2023, according to a recent report by financial services provider Allianz.
Companies are most concerned about data breaches. In the UK, 57 per cent of respondents to the survey said it was their main worry within cyber security. “Data privacy and protection is one of the key cyber risks and related legislation has toughened globally in recent years,” the report notes.
Just this week retailer JD Sports revealed the data of 10mn customers was compromised by a cyber attack.
This follows a string of other hacks. The Guardian newspaper was attacked in December last year, with staff’s sensitive personal data including bank account details and passport information was breached.
Just last month Royal Mail was left unable to process overseas post after a ransomware attack, while Yum Brands, the owner of KFC and Pizza Hut, was forced to close 300 of its UK restaurants for a day following a breach.
Cyber security is an enterprise-wide risk management issue," says Scott Sayce, global head of cyber at Allianz. “Boards need to initiate and implement a cyber risk management structure that covers the entire organisation – from the top down to third-party vendors – ensuring there is sufficient budget and staff resources to establish such a framework.”
Not all cyber attacks result in a data breach, says Sharad Patel, data privacy and cyber security expert at PA Consulting. Privacy enhancing technologies, such as encryption, anonymisation and pseudonymisation, can prevent a breach, he adds.
But cyber attacks that do compromise data take more effort and coordination to respond to, according to Patel. Organisations will need to notify relevant authorities, understand the impact on individuals whose data has been compromised, notify them and provide them with adequate support, he explains.
Under UK General Data Protection Regulation, companies have 72 hours to report to the relevant regulatory authorities if personal data has been breached. Individuals who have been affected must also be notified “without undue delay”.
The average global cost of a data breach reached a record $4.35m in 2022, according to research from IBM. This is up 2.6 per cent from 2021 and 12.7 per cent from 2020. The research indicates that the average price of a data breach in the UK is slightly more expensive, costing about $5m (£4.04m) on average.
But most boards aren’t quantifying their company’s economic exposure to cyber risk, according to Bob Zukis, chief executive and founder of the Digital Directors Network and professor of management and organisation at the University of Southern California Marshall School of Business.
Research suggests some parts of the executive team are also out of the loop. Only 40 per cent of finance teams receive regular updates from their information security colleagues, while some 37 per cent had never had one, according to a report from risk and financial advisory company Kroll.
Seven out of 10 respondents also noted that their most significant cybersecurity incident in the previous 18 months had resulted in at least a 5 per cent drop in company valuation.
Data breaches risk potential remedial costs, reputational damage, regulatory enforcement and litigation – and boards need to consider their appetite for these risks, says Robert Allen, partner in the disputes and investigations team at Simmons and Simmons.
Boards should ensure they have sufficient knowledge of the company’s data security structures and who in the organisation holds key positions, says Allen.
Directors also need to ensure the company regularly trains staff about data privacy and security and to make sure the company’s cyber security processes and policies are understood by staff and all relevant third parties, advises Sayce.
Boards must be aware of pressure from shareholders too. In January proxy advisor ISS launched a tool for investors to evaluate the likelihood of a company suffering a material cybersecurity event within the next 12 months.
Data breaches can negatively affect society and so it is an environmental, social and governance (ESG) consideration for shareholders, says Del Heppenstall, partner at KPMG’s cyber security practice. The storage of excess data can also affect carbon emissions, he adds.
But ultimately, strong cyber security is down to the culture of the company and its people, says Sayce.
This article is based on a story written for Agenda by Frederic Lee