Understanding the issue

Not everybody in the workforce has the same perspective on cyber security.  Members of the workforce who are approaching retirement began work in the age of typewriters, paper filing and card indexes.  Digital storage and analysis of digital data sets was simply not technically feasible.

All that has changed and with increasing speed.

All companies now have vast data sets of information on clients, suppliers and employees, as well as confidential business data. Companies now rely on computer-based systems to execute daily work.  In addition, consumer-facing companies usually have multiple interactions with customers through their portal.

This exposes companies to risks that simply did not exist in the recent past. Today, cyber security is one of the top 5 risks facing businesses in Asia Pacific. A 2018 study by Microsoft on the cybersecurity threat landscape in Asia-Pacific revealed that cybersecurity incidents may cost the Malaysian economy a staggering RM49.15 billion – more than 4% of Malaysia’s total GDP.

The risk that has received the most consistent and high-profile coverage is breaches of confidentiality regarding personal data.  This is usually, though not always, the result of hacking. 

On 29 March 2018, Bank Negara Malaysia revealed that they had detected and foiled a cyber security incident involving unauthorised fund transfers using falsified SWIFT messages. No funds were lost in the incident, but it prompted additional safeguards to bolster security. This was the second known hack of a central bank after the 2016 theft of USD81 million (RM330 million) from Bangladesh Bank. Incidents like these reveal weaknesses in the financial transfer system globally, as hackers use more sophisticated tools and techniques to launch attacks.

Singapore also suffered its worst-ever cyber attack on 27 June 2018 when hackers infiltrated the databases of Singapore Health Services (SingHealth), the largest group of healthcare institutions in the country. Personal information belonging to 1.5 million patients, including that of Prime Minister Lee Hsien Loong and other ministers, were illegally accessed and copied. Authorities, who are still investigating the incident, called it a “deliberate, targeted and well-planned cyber attack”.

This Techworld article further gives useful coverage of some of the major data breaches in recent years.

Though personal data leaks receive the lion’s share of the coverage, companies’ key operating systems are also exposed to security risk. An example here is the hacking of US electric utilities systems, which could have allowed the Russian hackers to cause power blackouts.

An additional danger is blackmail demands. Allegedly the largest ever such case, Nayana of South Korea, involved a $1 million payment.

In addition to reputational damage and loss of trust from customers and other key stakeholders, poor cyber security can in some jurisdictions open the company to fines where personal data security is breached.  Crucially, investors are increasingly factoring cyber security performance and preparedness into their evaluations and decisions. Even regulators are moving forward. In Sept 2018, the Monetary Authority of Singapore (MAS) also announced a round of consultations on fresh requirements for financial institutions to strengthen their cyber resilience.

Given the current landscape, the call to action for boards is clear-cut: Cyber security is not an issue that companies can afford to ignore. A proactive approach to ensure preparedness and resilience is needed.

Five steps every board should take to safeguard against cyber risks

1. Ensuring the board has the right skills and understanding

The resilience and reliability of Information Technology (IT) is increasingly important to business success. 

When setting out to recruit a new non-executive director, companies would be wise to consider whether they have a skills gap in IT that needs closing, in particular if it is related to cyber security. 

Equally, all board members should be receiving education about cyber security. This is certainly happening in a number of Malaysian companies which address this issue in their annual reports. An example is Maybank, which indicated the need to strengthen their Board’s skillsets in cyber security, as part of their Actionable Improvement Plan in 2018 to improve board effectiveness. Sime Darby and IOI also provided similar training to their Directors recently.

2. Taking a strategic overview and deciding on future governance

Before deciding on how to give ongoing oversight to cyber security, the board should review how cyber security fits in to its business model and plans, what the company’s current practice is and who holds managerial accountability for the matter.  It is prudent to seek expert external advice when considering this.

The default position is often: ‘this should be a matter for the Audit Committee.’ However as SpencerStuart points out: “…while the audit committee may be well-equipped to address issues of risk, audit committees are not traditionally oriented towards matters of innovation, competitiveness and strategy – all of which are essential to effective technology oversight.”

Axiata, a Malaysian telecommunications conglomerate, has set up a Cyber Security Steering Committee which reports to the Board Risk Management Committee, to ensure that there is formal accountability and appropriate oversight for the issue at top management level.

(Source: Axiata Annual Report 2017)

Different boards will arrive at different solutions.  The key is that all board members recognise why the arrangement has been set up and what it is expected to deliver.

3. Developing a cyber security check-list

Expert commentators offer a broadly similar set of questions which boards should ask. The simplest is the six-question format offered by PwC:

* Do we have the information we need to oversee cyber risks?

* How effective is our cyber security strategy at addressing the risks the business faces?

* How do we protect sensitive information handled, stored and transmitted by third-party vendors?

* Do we have cyber insurance?

* How do we stay current on the threat landscape around the industry and the market?

* Do we have a tested cyber incident response plan?

4. Management arrangements and monitoring

Far more than is the case with most other subject areas, commentators suggest that boards take particular care to make sure that management establishes a company-wide risk management framework with adequate budget and staffing.  

Further, that serious consideration should be given to securing external advice in order to keep abreast of latest developments in what is a fast-moving area.

One of the few Malaysian companies that have done this is Tenaga Nasional Berhad, which identified cyber security management as one of their key material issues that needs to be managed by the business. It developed a Cyber Security Strategy and participated in cyber security drills, simulating cyber attacks and the company’s readiness to respond to such incidents.

5. Reporting

Finally, the board has a duty to ensure that its positions and actions on cyber security are clearly and effectively communicated, particularly to shareholders.  An example of this being done well is provided by the Standard Chartered Annual Report 2017. 

Here, the question of cyber security is not confined in the sections of the report dealing with risk.

The CEO places cyber security within the bank’s overall strategy and progress during the year (page 6).  The Group Chief Risk Officer deals with cyber security as a key risk (page 33).  Cyber security is one of a list of issues on which Standard Chartered has engaged with policy makers on (page 36). Under the section Matters reserved for the decision of the Board and delegated authorities, the report notes the appointment of Sir Iain Lobban as independent advisor to the Board and its committees on cyber security and cyber threat management (page 53).  

This is in addition to insights on cyber security and governance on page 177:  “Close and continuous oversight of information and cyber security risk in the Bank is performed by the Technology Operations Risk Committee (TORC) and the Group Operational Risk Committee (GORC), with the GORC being appointed by the Group Risk Committee.”

So cyber security is properly reported throughout and is linked to the bank’s strategy and governance.

Not all companies need to give such ample coverage to the topic as an international bank like Standard Chartered. Nonetheless, in comprehensiveness and balance it provides a standard of reporting that all boards should aim for.

In Malaysia, CIMB, PETRONAS and Public Bank Group are some of the few listed companies that included a commitment on cyber risks in their Annual Reports. Genting took the step of disclosing its exposure to malware, ransomware, unauthorised access and corruption/loss of its information assets, as well as the processes it has put in place to close identified gaps.

Looking at the disclosures on cyber security by Malaysian listed companies generally, it is clear that there is much more to be done to prepare for and manage this growing threat. Reporting on this issue must improve, as investors and other stakeholders will be eager to see how companies are managing their cyber issues.