Before leaving a company, a disgruntled employee inserted a script in the system which had been programmed to bring down the company’s IT system at a later date. On the specified date, the business systems of the company crashed, resulting in substantial losses to the company.
Above and beyond the high expenses incurred to investigate the event, the financial and reputational loss suffered by the company was irreplaceable.
Such incidents are no longer an aberration. They are cyber risks to be taken seriously.
What is cyber risk? Any threat connected to the use of technology or data, impacting a business or an individual, is a cyber risk.
Cyber risk is a key concern for any commercial or government establishment. According to a statement by Communications Minister Kapil Sibal, in Parliament, cyber security threats and hacking attempts rose to 22,060 in 2012 from 23 in 2004.
The data vulnerable to attack would include most information not in the public domain. Unfortunately, cyber criminals keep pace with developments in data security and, if not outpace them, come up with more complicated programmes to breach systems.
Recent data indicate that India is ranked third globally in terms of vulnerability to cyber attacks, accounting for 6.5 per cent of the targeted attacks in 2012.
Company managements are now realising that it is important to understand what information their company holds, where it is located, and how it is protected.
Financial losses resulting from breach of a system and theft of data can be huge.
Some high risk sectors are banking and information technology as they handle and process large amounts of personal and proprietary data for their customers on online platforms. There are also concerns on the likely impact on the outsourcing industry which depends upon work from overseas companies.
Two Indian technology firms, working as outsourced payment processors, were in the spotlight recently for their alleged role in a $45-million credit card fraud impacting Indian and international banks. In another incident, cyber criminals reportedly hacked into an RPG group company’s bank account and siphoned off Rs 2.4 crore through the real time gross settlement system (RTGS).
The Implications These are not “one-off” incidents. Senior managements must be cognisant of the dangers. These include loss of market value due to leakage of confidential data, direct and indirect losses resulting from business interruption, losses resulting from theft of proprietary information or reputational losses which impact the share value of a company.
Companies identify reputational loss as the biggest risk in case of a breach.
The mishandling of a situation after a breach could result in undermining the confidence and trust of customers and other stakeholders, directly hitting a company’s share value and balance sheet.
One of the direct consequences is the cost of a business hold-up, including loss of revenue, recovery costs and penalties, loss of productivity; irreversible damage to the corporate brand and customer trust; and exposure to class action lawsuits.
Intellectual Property The third among the top three reported losses is theft of intellectual property such as confidential information and personally identifiable customer information.
According to the National Crime Records Bureau, there has been a 60 per cent increase in cases registered as cyber crime.
Over three-fourths of all breaches were exploits of weak or stolen credentials (not, for instance, writing passwords in a secure manner), and 40 per cent breaches used malware such as e-mail phishing.
These are serious implications. More so as cyber criminals seem to be moving from conducting random attacks to sophisticated operations by organised crime rings.
Organisations such as Deloitte Touche (Cyber Security and Audit Committee, August 2013) and Guy Carpenter (Emerging Risks Report, September 2013) have observed that company boards should assess the cyber threat to a company as an enterprise, and not just an IT, risk.
The Solutions In the developed world, governments have started bringing in legal and regulatory frameworks.
These involve large fines and penalties for an entity in the event of a cyber breach. For instance, the European Union Privacy Directive provides that companies that violate European data protection rules may be fined up to €1 million or up to 2 per cent of their global annual turnover.
In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, an amendment to the IT Act, 2000, enforces a criminal liability of imprisonment for two years and a civil liability of a fine of Rs one 1 lakh or both for a breach.
In addition, the Reserve Bank of India has directed banks in India to insure themselves against cyber risks. Increased government attention can lead to more comprehensive laws, with implications of higher penalties, to reflect global trends.
It would be wishful thinking to imagine that any organisation is impervious to cyber attacks.
How these are understood top-down, right from the board level, and tackled accordingly, will determine business continuity and profitability.
( The author is Country Head and CEO, Marsh India Insurance Advisors Pvt. Ltd. )
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.