Rohini Tendulkar, Economist, IOSCO:

The first thing to understand is that the cyber attack threat profile that a firm faces will depend very much on the type of firm, the services it provides and its function in the greater financial system. Threat assessments are best performed on an individual basis.

In general, cyber attacks will most likely be targeting money, or information that can be monetised, but this is not always the case. Cybercriminals can come with a myriad of motivations and include actors such as: Criminals, including organised criminal groups, acting for financial gain; ‘Hactivists’, groups or individuals motivated by a political ideal or ideology; cyber spies, using espionage to steal political or economic secrets, including information on how financial markets work; nation states or terrorist groups, using the cyber vector in warfare with a motive to disrupt or destroy a nation’s economy; insiders (eg disgruntled employees) seeking to steal from or sabotage their firm.

This means that in some cases, firms may be targeted by those driven by political, geopolitical and ideological reasons – where revenge, disruption and sabotage are the goals. In addition, a firm, no matter the size, may be targeted as an entry point to get into a system of another, connected firm. It is therefore critical that all firms, clients and third-party vendors are aware of the cyber risk, put in place preventative measures and identify who and how they are connected to each other through IT infrastructure.

In the Asia-Pacific region in particular, it is worth noting the acceleration of technological usage in business and government. As the use of technology increases, new vulnerabilities are introduced. Nevertheless, the status and challenges of cyber risk exist irrespective of regional or national borders. Some cyber threats to consider include:

• Stealing of confidential data/information – through obtaining access credentials and dispatching a virus.
• Distributed denial of service attacks – flooding a server with information requests until it crashes.
• Advanced persistent threats – multi-layered and multi-stage cyber attacks that can stay in a system for years without being detected.
• Ransomware – malware that blocks system access, disrupts processes or scrambles data. Functionality is returned to normal only after a ransom (monetary or political action) is paid.
• Cyber espionage also appears to be an emerging trend in the region, according to some reports.

In terms of tackling cybersecurity, it is important to realise that cybercrime is not something that can be dealt with by a firm’s IT department in isolation. Traditional preventative measures such as antivirus software and firewalls are not enough to deal with sophisticated attacks. Even with the most cutting-edge preventative and detection technology in place, human behaviour (such as clicking on an attachment in an email) can provide a channel for cyber attacks to penetrate.

Consequently, for treasurers, it is important to keep up-to-date with trends in the cyber attack landscape to know what to look out for – in particular the various social engineering techniques that may be used to trick someone into allowing a cyber attack to propagate. This can be achieved by attending cybersecurity training or information sharing events/groups. It is also important to identify the most critical or sensitive information/data/processes under one’s control and relay this information to IT departments so that cybersecurity efforts can be prioritised. Lastly, treasurers should understand or encourage the development of internal cybersecurity policies in their firm, for example clear reporting lines in the case of a cyber attack.

Anupreet Singh Amole, Senior Associate, Freshfields Bruckhaus Deringer LLP:

Simply put, a cybersecurity incident is a breach or disruption of an organisation’s computer systems (or internet presence) by an unauthorised third party. Although this topic is often linked with the growth of technology within an organisation, cyber risk is far more than a technical issue. When hackers steal, or employees lose, confidential data, the affected company faces real-world implications, whether financial, legal or reputational. As such, a company’s risk mitigation and incident response should be multi-disciplinary from the very outset.

Hackers use various techniques depending upon their intentions. Those seeking to disrupt, may launch denial of service attacks to cripple a company’s client-facing website. By contrast, those seeking to steal confidential commercial information and/or valuable personal data (such as credit card details) will use spear-phishing emails or sophisticated ‘watering-hole attacks’, which infect an external website frequented by the target organisation (eg a news outlet for a particular profession or industry sector).

As demonstrated by high-profile cases over recent years at Sony, Adobe, Apple, eBay and Target Inc, these threats can have significant, real world, commercial consequences. In the case of Target, the company suffered both reputationally and financially. Its CEO resigned in the aftermath and it still faces class action litigation by shareholders, consumers and certain financial institutions. It seems that the Target breach is regarded as something of a tipping point in corporate awareness of cybersecurity.

Clearly, there is a place for spending on specialist technical security advice and software. However, one must not see that technical element as a panacea. Instead, and perhaps somewhat counterintuitively, it is the human element that is crucial. Again, a cross-functional approach is required.

Do the directors on your Board understand the effects that a cybersecurity breach could have upon the company? Has the Board discussed relevant guidance issued by government agencies? Are your employees trained about cyber and information security more broadly? Do they know how to spot and report a suspected phishing email? Do employees have access to all data or are there restrictions around the most sensitive data? Does the company have clear computer use policies? What is the policy and procedure regarding employees’ access to and storage of company data on their individual personal mobile devices (eg Bring Your Own Device policies)?

Do contracts with suppliers (including data cloud providers) and customers address liability for data loss? Do the company’s insurance policies adequately cover the risk of a cyber breach? What are your plans for handling an incident as and when it occurs? Who will be in your incident response team? It would be prudent to include representatives from senior management plus IT, Legal, Security, Corporate Communications, Human Resources, Investor and Press Relations functions. Which external advisers (IT security/forensic consultants; lawyers; corporate brokers) are needed? How and when will you rehearse your incident response? These are just some of the issues to consider when managing cyber risk.

Eddie Toh, Director, Forensic, KPMG and Lem Chin Kok, Partner, Forensic, KPMG:

The underlying risks posed by cyber, in many respects, haven’t changed a great deal in the last decade. Malwares and phishing scams are nothing new; however the sophistication of these has increased. The main change however, is the scale of these risks. Over the past decade, organisations have introduced exponential amounts of technology in all areas of the business. Although this has offered many benefits to companies, it has also opened the market to cyber criminals. The market place is also growing, as individuals and organisations throughout Asia Pacific and the world embrace technology.

The big question then is – are companies aware and prepared to meet the threat? In Asia Pacific, generally the answer is no, and in some cases organisations don’t care about the topic. We have seen companies introducing lots of technology, and spending lots of money doing so, but not focusing on the risks associated with this and building adequate controls and processes to mitigate these. In the cases where cyber risk is appreciated, a second problem is that in the region we have limited professionals with the knowledge and skillset to help companies mitigate these risks.

Another key problem is the lack of awareness and knowledge about the cyber world at an individual level. For example, we often see cases where an individual within a company has fallen foul of a phishing scam, despite these well-publicised scams existing for a long time. Another example comes from man-in–the-middle attacks, where the cybercriminal eavesdrops, intercepts and relays messages between parties, inducing innocent parties into making payments to bank accounts controlled by the cybercriminal. In recent months, we have seen an increasing trend of the treasury falling foul of these attacks. In many cases, the treasury followed up on requests to make payment to other bank accounts and employed their control procedures by asking for supporting documents to validate the request, which the cybercriminal who made the request was able to fabricate and provide. The payment was made and it was only after a few months, when the real supplier called asking for payment, that the treasury realised what had happened. We therefore always advise our clients to make an independent call back to the vendor to validate the request. Individuals should also be mindful of email accounts of the email sender and receivers (including those copied).

Cyber attacks are becoming increasingly common in the region and are likely to increase. It is no longer a question of whether an organisation will be compromised as a result of cyber attacks, but when. Organisations have to assume that their IT infrastructure will be compromised and ensure that they are well-prepared to detect and respond to cybercrimes when they happen. We strongly believe an organisation can mitigate the risks posed by cyber when it takes a people-led approach, puts in place a strong cyber governance process and invests in the right technology.