The threat of companies being hit by a cyber-attack is increasing dramatically. Global cyber-attacks soared by 38% in 2022 compared with the previous year, while there were 2.4m instances of recorded cybercrime across all businesses in the UK in the last 12 months—with the real number probably higher.
One estimate by Cybersecurity Ventures puts the global cost of cybercrime as reaching £8.4trn annually by 2025: if it was measured as a country, cybercrime would be the world’s third largest economy after the US and China.
The ways in which hackers are breaking into systems are getting more guileful, too. In September, British security chiefs warned of fresh threats where companies integrate artificial intelligence (AI) chatbots into their systems due to their susceptibility to manipulation and cyber risks. The new research by the National Cyber Security Centre outlines how hackers can trick AI-powered chatbots into performing unauthorised actions, such as making fraudulent payments or corrupting confidential data.
This just makes it all the more important that UK companies take the cybercrime threat seriously. Yet a new research report that our team at Savanti has just produced by interviewing senior business leaders, including those in FTSE 100 companies, shows that many boards are struggling to understand how to manage cyber risk effectively and combat cybercrime, putting them at increased risk of crippling costs such as ransoms running into millions of pounds, litigation and reputational damage. In fact, one estimate finds that six in 10 directors say their company is ineffective in even understanding the risks.
Steps for the board to take
First, cybersecurity is often merely filed under ‘any other business’ at board meetings, when given the increasing high risks of a cyber-attack, it should be discussed more often—at least on a quarterly basis.
Our research also found many businesses are ‘cyber-lite’, in that their boards have little to no representation of directors with data and cybersecurity experience. It’s second nature to have finance and HR representation at board level because of their importance across the business yet, despite the increasing risk of cyber-attack, knowledge of cyber issues is, at best, under-represented and, at worst, ignored. Having at least one board member with direct experience of cybersecurity issues would increase board capability.
Finally, those businesses who do improve their board governance on cybersecurity are likely to get ahead of the curve. In July, the Securities and Exchange Commission (SEC)—the US agency comparable to the UK’s Financial Conduct Authority—issued a ruling requiring companies to describe their management oversight of cyber and their processes for the assessment, identification, and management of material cyber risks, as well as to report material incidents within a specified timeframe and standard reporting framework. The SEC also requires these companies to describe their board oversight of cyber risks.
History shows us that SEC rulings have a habit of becoming the de facto standard for good governance, meaning the ripple effect is likely to be considerable. Indeed, the SEC joins a growing list of regulators acting in this space, including the EU’s NIS2 Directive on network and information security, Australia’s Critical Infrastructure Act and Norway’s Security Act.
It’s highly likely more countries will follow suit. That could include the UK too, but even if doesn’t, the international reach of cybercrime means UK businesses will need to up their game.
More regulation on the way
My prediction is that more cyber regulation will emerge in the coming years in the UK and Europe that will eclipse the GDPR reporting rules—such as disclosing all material incidents, not just those that relate to personal information, to the relevant public authorities. So boards should act now.
Our report also highlights research from MIT, which found that enterprises with digitally savvy, cyber-engaged executive teams have significantly higher revenue growth, valuations and net margins. It found that effective cybersecurity also brings many top line benefits, including greater success rates when tendering for new clients, improved data insights, investor confidence and maintenance of shareholder value during mergers and acquisitions.
In short, while cyber threats may be increasing, so are the opportunities for those businesses who take action to improve their board governance of the issue.
Richard Brinson is CEO of cybersecurity consultancy Savanti