Risk & Economy » Regulation » Can you afford to ignore cyber security?

Matthew Pryke of Hamlins LLP looks at the big financial and reputational issues that FDs need to be aware of in 2017 and beyond

It has become an almost daily occurrence to read about another organisation falling victim to a high-profile cyber-attack.

The government estimates that the UK endured a 22% increase in cyber crime in 2016, calculated by Lloyds insurers to have cost UK businesses’ more than £400bn. Of particular concern is the growing prominence of specifically targeting CEOs and FDs with “whale attacks”, which often lead to expensive ransom demands and other forms of business interruption. This troubling trend of an increasing number and sophistication of cyber-attacks looks set to continue with Forbes recently predicting the cost of cyber crime to increase to $2tn (£1.6tn) by 2019.

Whilst the concept of the risk may be understood, the real financial and reputational damage suffered by victims of such attacks is something all FDs are tasked to guard against. The potential consequences of falling victim to a cyber-attack are far reaching and go well beyond organisational disruption and financial losses. Diversion of management time, loss of business, regulatory investigations and often most crucially reputational damage are all too often the inevitable outcome of a flawed cyber security strategy.

 


Watch now: In an exclusive interview with Financial Director, Andrew Bonfield, CFO of the National Grid and Chair of the 100 Group, discusses cyber security.


 

Not just a ‘technology issue’

Previously, cyber security was often viewed as a technology issue. Any effective and joined up cyber security strategy must be treated holistically as an organisational concern. With the threat and potential impact identified, the responsibility for cyber security has now been elevated to sit firmly with the board. So, does this mean that FDs should be rushing for their cheque book (which isn’t subject to cyber-attack) in search of protection? Possibly – but let’s get real – everything must be proportionate and, like all spend, a cyber security plan requires focus and a realistic budget.

This focus is often best targeted towards firstly ensuring legal compliance and then on revenue protection. Once legal compliance is secured, businesses often seek to identify key areas of the organisation infrastructure which, if subject to a cyber-attack, would impinge upon the businesses’ continuing ability to generate revenue.

The other focus which inevitably is linked to revenue, particularly in the medium to long-term, is the business’ brand and reputation. It is worth considering how much of the negative PR and consequential loss of reputation and brand value is often linked to the manner in which a cyber-attack is communicated and managed after the attack, rather than the mere fact that a business has been subjected to a cyber incident. Perhaps this suggests a trend towards acknowledging that for certain businesses it may be inevitable for them to be prey to a cyber-attack. Traditionally, businesses have focussed cyber spend towards protection rather than seeking to identify and address cyber-attacks once they have happened. Therefore, it could be suggested that directors should focus on implementing a balanced approach – one that seeks robust protection for areas of the business that are revenue critical, supported by a suitable crisis management strategy to identify and deal openly, proactively and quickly with any cyber-attacks encountered.

In a recent survey, more than a third of executives felt a cyber-attack was inevitable. Therefore, having a balanced and proportionate strategy, which reflects the increasing risk, is essential.

Matthew Pryke is a partner at law firm Hamlins LLP.