According to a report of World Economic Forum (WEF), Future of Jobs Survey 2018, the most demanded jobs by the year 2022 would be related to information technology, innovation and automation. We have entered into an era of Fourth Industrial Revolution where machines and technology are going to be more and more involved in daily lives. We are talking about Robots, Artificial Intelligence, Cryptocurrency and Block Chain etc. Not only businesses but individuals have also become dependent on IT. The concept of Global Village / Economy would have not come into existence in the absence of IT. It has become an essential contributor to our daily lives.
With so much of dependency and importance of information systems it is also essential to assess the potential risks and threats to businesses and economies associated with the use of these systems. The concept of firewalls, passwords, virus scans, backups etc. has now become little outdated, though still needed. Information Risk Management is no more a topic to be discussed by IT professionals only but needs attention at Executives and Board level to take appropriate measures against any kind of disruption to business and potential loss of data as a result of failure of Information Systems. It should become part of Risk Management Process of an entity.
If we take the concept of information Risk Management a step forward; there comes a need to understand Cyber risk.
“Any risk emerging from the use of information and communication technology (ICT) that compromises the confidentiality, availability, or integrity of data or services. The impairment of operational technology (OT) eventually leads to business disruption, (critical) infrastructure breakdown, and physical damage to humans and property. “
Cyber-attacks are on the rise globally. Cyber risk may result due to natural disaster e.g. earth quakes, floods or fire which may destroy a Company’s IT hardware, software, servers and network or it can be man- made (malafide intention of hackers, terrorists, criminals, human failure). In any case there is a risk of potential loss of confidential data and data integrity is compromised. Business reputation and credibility would also be affected.
The potential effects of these risks can be assessed according to the nature of business and its dependency on information systems. For example, banks, financial institutions, online businesses, hospitals etc are more vulnerable to Cyber-attacks as compared to others. The reason is they are dealing with an individual’s confidential data, account numbers, email addresses, credit card information, personal health history etc.
Companies should take a proactive approach to identify its susceptibility to Cyber risks and take appropriate measures to mitigate the potential consequences in the event of any threat or loss of data. This will enable the Company to be operational quickly and also minimise the costs incurred in recovery of data.
Cyber Security in Pakistan
In Pakistan, banks are considered to be the most vulnerable to Cyber-attacks. The recent attacks to Pakistani renowned banks puts question marks on the Banks ability to counter with such data crimes. Because it shows that there are security lapses which makes Hackers to succeed in their attacks.
US-based IT research company, Gartner, Inc., says that there are now 6.4 billion connected devices globally and by 2020 this figure will balloon to 20.8 billion. Similarly, Russian cyber security company, Kaspersky Lab, states that the next world war will be a cyber war.
Therefore, it has become necessary to make a thorough assessment of what other countries are doing to deal with this complex issue of the century. There is a need at both Institutional and Government level to look into the matter before it’s too late. A comprehensive Cyber Security Policy to be promulgated by the Regulator and implemented at banks to deal with online financial frauds. There is a need to continuously monitor and upgrade the IT systems and network as well as educate the users and employees about security measures to be adopted during online transactions.
An entity with a robust cyber risk management plan can minimize the potential damage from a breach and get itself back on track more quickly in the wake of a disruptive event. The first step is cyber risk assessment. Followed by protection, detection, response and recovery.
A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. According to PwC, about one-third of U.S. companies currently purchase some type of cyber insurance.
Any organization that stores and maintains customer information or collects online payment information, or uses the cloud, should consider adding cyber insurance to its budget. Cyber insurance typically covers expenses related to first parties as well as claims by third parties. Although there is no standard for underwriting these policies, the following are common reimbursable expenses:
- Forensics investigation
- Business losses
- Privacy and notification
- Lawsuits and extortion
There is a good opportunity for insurance companies to explore and penetrate into this area as there is huge potential in the market. The relatively small size of Cyber insurance market shows that it has not been taken serious by Corporates and individuals till now. Insurance companies can also act as an advisor by pushing Corporates to adopt best security practices in order to avoid data breaches.
Finally a Cyber Future Strategy needs to be developed by the Corporates, Regulator and Government at large. Cyber education should also be given due importance as there is lack of technical or professional support in this area. There is a need to develop a digitally literate and responsible society in order to compete and sustain in a technology driven future.
Senior Chartered Accountant
From Institute of Chartered Accountants of Pakistan
With more than 15 years’ experience in finance, risk and insurance
Currently working as a Chief Executive Officer with
Business Risk Consultants (Private) Limited
Contact her at firstname.lastname@example.org