“As a company, we are digital!”: such a sentence can be said by companies that recognize and welcome digital transformation as a tool to grow and as an answer to an iper-connected ecosystem. Being aware of both the velocity with which Cyber criminals move and of the fact that it is impossible to defend ourselves from what we cannot see, makes Cyber Risk stand apart from all the others. It can be faced first with culture, governance and transparency.
First and foremost, it is important to be aware that Cyber criminals are the fastest. With the digital evolution – that fostered and increased the connection among individuals, companies, and institutions – new opportunities for criminals have been generated. In turn, these criminals have developed a dark market of highly specialized services based on extremely rapid and fluid networks that surface for projects for a limited amount of time and with very specific objectives. Accordingly, Cyber risk differs from other risks as it is characterized by the rapid evolution of both technology and the criminals’ business models. In addition, it is worsened by governments and companies that are slower in responding and adapting. And the wider this gap is, the greater the risk taken on by companies.
Cyber Risk is different as the game scheme is “free for all”: these attacks can, in fact, be perpetrated from each and every part of the globe. Taking into consideration that we cannot defend ourselves from what we cannot see, the awareness that Governments need to play a more active role in collecting and sharing information and in coordinating the defense has increased. And Europe, that in 2018 adopted the Directive for the notification of incidents suffered by suppliers of essential services – energy, transport, finance, and health – was a pioneer that paved the way for other nations – such as the United States and Australia – who are considering adopting a similar solution to report incidents within the following 24 hours.
The myth regarding the access of all the users at any time and from anywhere – which have been pursued for years – has become reality thanks to both technology and to the cultural change that reached its peak during Covid-19. But unfortunately, it is still true that the weakest ring of the Cyber defense chain is people: based on the analysis of the data gathered by the UK Information Commissioner’s Office, human error has been the root cause of 90% of data breaches occurred in 2019. And because these failures are attributable to an insufficient Cyber culture, many companies have started to fill this gap acknowledging that people are the real asset to both building a Cyber culture and effectively defending their IT perimeter. And it is thanks to this Social feature that Cyber risk cannot be considered only a technological risk but one that is strictly connected to the “S” of the well-known acronym “ESG”.
With reference to the “G” of Governance, based on the Gartner 2020 Board of Directors Survey, Cyber Risk is the second source of risk after Compliance risk and, for this reason, Boards have started setting up a Cybersecurity Committee: Gartner foresees that 40% of listed companies will have put in place a Cybersecurity Committee by 2025.
But, in case of attack, is the notification to the authorities sufficient or should both a dialogue with investors and the communication be more appropriate? It is well-known that the victims of Cyber-crime are reluctant to admit that they have been attacked: from research published in 2018 by LBS it emerged that listed companies are willing to disclose the attacks suffered only when the suspicion by investors is high (40%) because such information is unavailable in the market. From the research it also emerged that this behavior impacts on share value: albeit in both cases it undergoes a negative correction, the reduction – from 3,6% in the case of a non-disclosure to 0,7% in the case of disclosure – strongly modifies its impact.
And it is at this point that the active role of the Audit Committee emerges. The Audit Committee – as overseer of the integrity, the reliability, and the credibility of the financial and non-financial information towards all the stakeholders – defines the reporting and disclosure strategy to safeguard one of the most important values of the company: its reputation. And this point a choice needs to be made: publish (or not) minimal information or a transparent disclosure that foster dialogue with the stakeholders and, in general, with all market players?