Along with the rest of the world, the COVID-19 crisis has both accelerated and intensified the digitalisation trend in Asia. McKinsey reports that digital adoption took a quantum leap at both organisational and industry levels. In Asia Pacific (APAC), the digitisation of customer interactions was accelerated by four years and the average share of products and/or services that are partially or fully digitised had increased adoption acceleration by 10 years, the highest of all regions in the survey.
Gartner’s report echoes these findings: the demand and adoption of cloud in APAC is forecast to exceed the rest of the world, with overall cloud spending expected to reach US$200 billion in the region by 2024.
This evolving and more COVID-resilient business model of embracing cloud infrastructure and remote working arrangements, whilst enabling business continuity, fundamentally altered the risk perimeter organisations are operating within. The speed at which new protocols were adopted and deployed posed challenges to all industries and highlighted the ongoing tensions between security, compliance, and the need to remain operational.
Hacker groups growing both in numbers and sophistication, have identified lucrative opportunities to attack. They have been quick to shift their targets from relatively well-defended corporate environments to home offices and other offsite locations that lack similarly strong security controls. Cyber risk, which has been steadily moving up to the top of corporate risk registers, was thrown into even greater focus.
A recent Willis Towers Watson’s recent Technology, Media and Telecommunications (TMT) Futures Report highlighted the concerns held by TMT executives and key individuals operating in an industry that is no stranger to disruption and transformational business models. These executives were asked to identify challenges associated with digitalisation and technological advances, specifically in the context of data management.
Cyber-attacks, data security and other risks associated with operational complexity and vulnerability were TMT concerns long before COVID-19, but the pandemic impact on business operations and buyer behaviour exposed new organisational shortcomings or aggregated old ones. A key risk noted was the absence of an enterprise-wide cyber culture and the ability of leadership to position their companies to cope with change.
Rising and unexpected costs associated with rapidly evolving digital or technological solutions was also voiced as a challenge, as well as the increased dependence on remote working technology and automated solutions, including exposures related to third party vendors and other external business partners.
These concerns have similar application to broader industry groups - the absence of an enterprise-wide cyber culture, where cybersecurity is treated as a cost outlay rather than a strategic priority will lead organisations down a dangerous path where corners may be cut in order to boost bottom lines and protect struggling margins.
In Asia, we are beginning to see a turning of tides where the uptick in enquiries from boards for cyber risk assessments and insurance have grown significantly. There is a growing realisation that cybersecurity is not solely the remit and concern of the IT team, but rather something to be addressed as an enterprise-wide business risk. Companies in Asia are now seeing a critical need to understand, identify and quantify their cyber risk through the lens of a structured risk management framework.
With organisational risk perimeters now less defined and employees physically dislocated, organisations must be proactive in understanding the risk culture of their organisation and the prioritisation requirements. For example, cyber risk assessment methodologies which push the identification and assessment of cyber risk beyond the technology environment will give boards a more realistic assessment of organisational cyber risk and provide situational awareness of an organisation’s exposure areas.
The evolving business model for Asian companies moving to digitalise necessarily involves a redesign of their technological supply chains. This increasingly complex chain can span multiple third parties (and third parties’ third parties) with high volumes of data being exchanged at various locations. With this complexity, supply chain visibility will become more and more challenging. Given the dependencies and criticality of third-party vendors remaining operational, mapping out third-party vendor risk is crucial.
Supply-chain attacks have highlighted how aggressive threat actors are becoming in identifying vulnerabilities and going for lucrative targets where the downstream effects are the heaviest hitting. These can include threat actors infiltrating a company’s system through an outside partner or provider who has access to their systems or data. Such events have also demonstrated how interconnected our collective cyber risk is and how companies need to be prepared and resilient.
Earlier this year, we saw the far-reaching impact of a supply-chain attack which had origins at a modest IT software vendor based in Dublin, but reportedly impacted more than 70 managed service providers who use their software, and a further 300 or more downstream customers. The impacts of the attack were experienced globally from 800 outlets of a Swedish supermarket chain to 100 New Zealand kindergartens, all utilising managed service providers who integrated the affected software.
In a survey by ZDNet on APAC conducted in March this year, growing cyberattacks trend on APAC firms was also reported. Some 68% of businesses across six Asian markets namely Singapore, India, Japan, Malaysia, Australia, and the Philippines, said they have been breached, up from 32% in 2019.
Technology supply chain management is therefore a site of cross-departmental collaboration and cannot be left solely to procurement or IT teams to handle, siloed from risk and legal teams. Risk managers have an important role to play in ensuring there is a resilient supply chain through a dedicated risk map which identifies weakness signals, over-dependencies, and ensures there are business continuity plans that can accommodate failures or disruptions at a third party provider level. This risk map should also be able to identify the business impact of a disruption and quantify the financial impact, thereafter enabling risk managers to work with finance teams on transferring the residual risk to the insurance market.
Cyber risk is clearly a dynamic peril that goes far beyond IT. For companies undergoing digital transformation, shifting to a greater reliance on cloud providers and third-party vendors, the cyber risk landscape has altered (increased) significantly given the accompanying shift in risk perimeter. To match the increasing complexity of the risk landscape organizations are operating in, one that is less well-defined, rapidly changing, and volatile, with sophisticated threat actors actively seeking to exploit vulnerabilities, organisations need to take proactive strides in creating an enterprise-wide cyber culture.
Partnering with experienced risk advisors will bring an objective and experienced perspective in establishing and maintaining an integrated cyber risk management framework that matches the business needs and is aligned to strategic objectives in the immediate, near-term and long-term views.
The article was first published in Asia Insurance Review, October 2021 issue.