Treasury Today Country Profiles in association with Citi

Held to ransom

Cyber-criminal concept with person unrecognisable in hoody

Cybercrime is a major concern for companies around the world, with ransomware attacks becoming particularly widespread – but how can treasurers determine the extent of the possible losses if an attack does take place?

Cyber-risk continues to be a focus for businesses around the world. The World Economic Forum’s Global Risks Report 2018 stated that cyber attacks against businesses have almost doubled in the last five years, noting the cost of cybercrime to businesses is expected to be US$8trn over the next five.

While 2016 saw US$81m stolen from Bangladesh Bank, 2017 was characterised by a proliferation of high profile ransomware attacks – the most serious of which affected hundreds of thousands of computers around the world and cost some corporations hundreds of thousands of dollars to address. Against this backdrop, how can treasurers go about quantifying the risks they face – and how can these risks best be managed?

Cyber-risk is one of the main business risks currently affecting the corporate landscape. It’s also an issue which is constantly developing. Carl Sharman, a Director in Deloitte’s Treasury Advisory practice, explains that the landscape is continuing to evolve: “It’s becoming more mainstream in terms of organised crime,” he says. “Criminals are increasingly able to perpetrate very lucrative crimes without leaving their homes or offices.”

That said, Sharman differentiates between different types of cyber-risk. The first, he explains, is where highly skilled individuals are trying to hack into systems and extract value through technological means. According to Sharman, some clients are taking action against this type of risk by inviting hackers to test their systems for weaknesses.

“The flipside is the low-technology targeting,” he adds. “Although this is very technologically focused, the greatest successes are caused by testing the weakest link in the chain, which tends to be the human link.”

Changing profile

While cyber-risk includes a variety of different approaches and techniques, Fenton Burgin, Head of Deloitte’s UK Debt Advisory team, observes that the risk profile of cybercriminals has changed markedly over the last 18 to 24 months. “More companies are concerned about being targeted by an organisation, rather than a lone wolf individual,” he says. “This fundamentally means that a broader range of companies now have to have this on their agenda.”

The average cost of cybercrime has increased from US$9.5m per organisation in 2016 to US$11.7m in 2017.

Shirley Inscoe, Senior Analyst at Aite Group, agrees that attacks are becoming more sophisticated. “Originally, many threats were from hackers and young people who just wanted to show how smart they were by breaking into systems,” she says. “Today, threats are much more serious. Many are backed by unfriendly nations, and they often are directed against key infrastructure.”

At the same time, the cost of individual attacks is rising. Accenture’s 2017 Cost of Cyber Crime Study found that the average cost of cybercrime has increased from US$9.5m per organisation in 2016 to US$11.7m in 2017.

The rise of ransomware

One major trend is the rise of ransomware attacks, many of which have been directed at government units and hospitals as well as businesses. Such attacks typically lock users out of their computers, demanding payment in return for restoring access. These attacks are increasingly commonplace: the Global Risks Report noted that ransomware attacks accounted for 64% of all malicious emails in 2017.

Particularly notable was last year’s WannaCry ransomware attack, which affected hundreds of thousands of computers across 150 countries. The attack wreaked havoc for the UK’s National Health Service (NHS), resulting in frozen files and cancelled appointments. The ransomware, which attempted to extract payments of around US$300 in bitcoin from victims, also affected Spanish utilities, caused factories to halt production and attacked 1,000 computers in the Russian Interior Ministry. In China, meanwhile, the organisations affected by the attack included 4,300 educational institutions and 20,000 petrol stations.

Wiper malware

Not all ransomware is alike. Shannan Fort, cyber-risk expert at Aon, notes that another trend involves malware which “appears to be ransomware but is actually designed to do nothing but destroy”. Last year’s NotPetya attack, for example, was first believed to be ransomware but was later identified as a ‘wiper’ which simply destroys data without enabling victims to regain access to their files. The attack caused considerable disruption in Ukraine and Russia. It also resulted in costs of around US$200-300m for large corporations such as Merck, FedEx and Maersk.

“NotPetya appeared to be Petya at first, which was ransomware, but what it turned out to be was essentially malicious code or malware,” says Fort. “The purpose was to wreak havoc by wiping systems and corrupting data.”

Counting the costs

The impact of such attacks is set to rise even further. Research published last year by Cybersecurity Ventures estimated that the global cost of ransomware would be US$5bn in 2017, up from US$325m in 2015.

While the costs can include ransom payments, ransomware attacks can also bring a variety of other costs as a result of enforced downtime, loss of data, productivity losses and additional employee training. Accenture’s 2017 Cost of Cyber Crime Study noted that the average time taken to resolve a ransomware attack is 23 days.

Chart 1: Frequency of cyber-attacks

Of the 45% who have suffered an attack in the past 12 months

Chart 1: Frequency of cyber-attacks

Source: survey conducted by Forrester Consulting on behalf of Hiscox

Businesses are often advised not to pay ransom in the event of a ransomware attack: for one thing, there is no guarantee that cybercriminals will actually restore systems once a payment has been received. In practice, however, it is largely suspected that many companies do opt to comply with demands for ransom – not least because they are keen to avoid adverse publicity. “It is very possible that corporates in this situation are choosing to pay, rather than bring this out into the public eye,” comments Sharman. “This would then distort the public’s view of the extent of the problem.”

Beyond financial loss

It’s also important to note that the damage incurred by businesses is not limited to the financial. “Financial losses are certainly important, and often include ancillary losses such as productivity losses and other hard-to-measure categories,” says Inscoe. “Other losses – such as loss of life when key systems are disrupted in hospitals, or when transportation systems are disrupted resulting in accidents – are more critical.”

Reputational damage is another concern, although as Inscoe notes, this may be more costly in the case of large-scale attacks and when consumers’ financial accounts and personal information are breached. “There are so many small data breaches in the news that consumers seem to be tuning them out (due to the sheer volume) except when they are personally impacted,” she adds.

Combatting cyber-risk: the treasurer’s role

As cyber-risk becomes a more pressing concern, treasurers are playing a more important role in managing this area. Steve Wiley, Vice President, Treasury Solutions at FIS, explains that treasurers have historically relied upon the IT organisation or a corporate security function as it related to the management of treasury-related risks.

“Most organisations have shifted away from this approach over the past several years, with the treasurer taking on more of a shared responsibility, working closely with IT to mitigate cyber-risk,” he says. “This has really frustrated that generation of treasurers which isn’t deeply educated or trained in technology. Additionally, treasurers have been challenged in accelerating the cyber security learning curve for all core treasury, non-technologically specialised, employees.”

As such, Wiley says that treasurers and CTOs are looking for third-party technology providers to play a more active role in mitigating cyber-risk, “through hosting and other managed application and data protection services”. Consequently, treasurers “are re-evaluating relationships with all mission-critical service providers, including banks, specialised treasury technology providers, and consultancies providing guidance in technology related areas.”

In other cases, linkages between the IT and treasury department are becoming closer than in the past. “Historically the IT and treasury department would have been in separate floors of the building – but increasingly you’re seeing IT departments and the treasury function merging,” says Deloitte’s Burgin. “It’s not untypical for the CFO of a large Fortune 500 company to have a range of technology people embedded into their treasury function across all levels”.

Quantifying the financial impact

In practice there are a number of reasons why companies may not take action to protect themselves from cyber-risk. According to Inscoe, these may include competing priorities for limited budget dollars, as well as “a naïve belief that it can’t happen to your company”. But as Inscoe points out, “As the ongoing data breaches and ransomware attacks in the news make clear, it can happen to any company at any time, and the cost of handling the crisis probably far outweighs the cost of avoiding it.”

In light of the growing threats, it’s important for companies to understand just how much a cyber-attack could cost them. For one thing, quantifying the risks can play an important role when it comes to moving forward with the purchase of new systems. “Quantifying the implications of a potential attack is extremely important in order to justify technology investments to protect companies,” comments Inscoe.

It can also help with risk transfer decisions when companies are considering taking out cyber insurance, a relatively recent development. “This is still a very young and new cover, and the data behind it is still developing,” says Fort. “We don’t have 300 years of property losses and incredibly accurate predictive modelling to rely on to help us understand the likelihood of a loss and the amount that a company is likely to suffer following that loss.”

As such, Fort says it’s critical that companies take steps to quantify the risks they face. “If the maximum loss you’re likely to suffer is less than £10m, and you’re buying £300m of insurance, you may not be making a prudent decision when it comes to your risk transfer,” she points out.

Paying the price

However, assessing the risks may not be straightforward. On the on hand, a minority of attacks can and do cost businesses hundreds of millions of dollars – but on the other, the cost of most cyber breaches is considerably less. Consequently, treasurers may face a dilemma when considering whether to spend money protecting their businesses using insurance, or whether to spend the money on strengthening their IT defences.

In practice, the nature and scale of attacks can vary considerably. As Deloitte’s Burgin points out, “At one end of the spectrum, it could mean turning the lights out.” It’s therefore important to look broadly at the possible risks and consider a variety of different scenarios.

“Examples of such attacks should be varied, such as losing system access (eg Sony Pictures), a ransomware attack or a major data breach,” says Inscoe. “For each scenario, all the negative ramifications should be defined, and an attempt to quantify the potential negative impacts should be attempted.”

Fort says that companies should factor in a number of different considerations when quantifying possible loss – including the company’s existing controls. “You have to look at compensating controls as well as the risk that you’re facing to understand how a particular incident could impact you, and then what kind of cost you’d be looking at thereafter,” she explains. “For example, a company which specialises in forensic investigations has a team available – so your cost around identifying an incident, controlling it and making sure the impact is minimal will likely be less than for a company which has no experience there.”

Taking action

Whatever a company’s chosen approach, it’s clear that cyber-risk is an issue that needs to be managed carefully. Inscoe advises that companies should “define various threats to their environment, envision the impacts of each type of attack, define roles and responsibilities in the event of an attack, add all this data to their business continuity plan and test it periodically”. She adds that an evaluation should also be performed of security gaps and a timeline developed to address all gaps noted.

Finally, Burgin notes the importance of having cyber-risk squarely on the agenda of the Board. “It’s about having the right resource on your executive team to be able to lead and measure that risk,” he concludes. “Going forward, our view is that you’re going to see more companies having to have IT experienced professionals sitting at that board table, rather than the CFO having IT as part of his remit.”