Fraud Risks Climb in Number and Complexity, Kroll Survey Indicates
Data theft, information leaks and reputational damage are high on list of concerns
Friday, October 18, 2019
By Katherine Heires
Cybersecurity, geopolitics, third-party relationships, social media and reputational threats factor into a fast-changing, increasingly complex risk landscape, as revealed in the Kroll Global Fraud and Risk Report 2019/2020.
“The landscape of risks is growing because thanks to new technology, more people can now get involved in perpetrating risks,” says Alan Brill, managing director, cyber risk at Kroll, a corporate investigations and risk consulting firm and a division of Duff & Phelps.
Rated as a high or significant priority for 588 survey respondents were instances of corporate data theft (77%), leaks of internal information (73%) and reputational damage due to third-party relationships (73%).
Incidents said to have significantly affected organizations over the past year included leaks of internal company information (39%), data theft (29%); reputational damage due to third-party relationships (29%), disruption due to sanctions or tariffs (27%) and adversarial social media activity (27%).
The data come from an online survey of senior executives with risk management responsibilities in 13 countries and regions and representing 10 industries. It was conducted by Forrester Consulting on behalf of Kroll last March and April.
Insiders and Third Parties
In the financial sector specifically, employees were identified as the perpetrators of incidents by 27% of respondents, outnumbering contractors (17%), third parties such as joint venture partners, suppliers and vendors (14%), and customers (14%).
Top risk priorities for the sector are leaks of internal information (80%), data theft including customer records (75%) and reputational damage due to third-party relationships (73%).
Brill notes that in the past, only sophisticated programmers had the skills to develop malware. But today, people with limited technology skills and bad intentions can rent or easily buy malware on the dark web.
“The democratization of risk means more bad things can be done with greater ease and by more organizations and people, Brill says.
He is also concerned about digital currency - 28% of survey respondents said they use it in some way. The cryptocurrency trend “is a moving risk target,” although “given the right planning and the right controls, digital currencies have great utility,” he says.
With governments only starting to develop regulatory guidance for cryptocurrency activities, risk managers must pay close attention to their impact on compliance and security procedures, Brill says. He recommends that practitioners use so-called cold wallets - in secure storage off the internet - along with adoption of security guidelines such as the Cryptocurrency Security Standard.
Brill strongly advocates cybersecurity programs that “break out of the cybersecurity silo” and are not the sole responsibility of the chief information officer or head of IT.
“Cybersecurity is often a matter of life and death for a corporation, and thus everyone in the organization - not just the CIO - has responsibility for the security of systems and information,” he says. In practice, this means that companies should aim for a level of operational maturity in their cyber protection measures. This involves establishing strategic and tactical governance for cybersecurity programs and sufficient internal audit and control capabilities to monitor cybersecurity system performance on an ongoing basis.
Investment Restrictions and Sanctions
In the geopolitical category, 55% of survey respondents cited restrictions on foreign investment, 45% changes in economic treaties, and 45% newly imposed sanctions as affecting their firms' success.
“There are so many geopolitical factors that can impact transactions today,” says Nicole Lamb-Hale, managing director in Kroll's Business Intelligence and Investigations practice. From domestic politics, to geopolitical headwinds like U.S.-China trade disputes and Brexit, “you have to take all these geopolitical factors into account” in making investment decisions.
Lamb-Hale suggests going beyond merely assessing a company's cross-border relationships and looking carefully at a transaction's impact from the counterparty's perspective. This entails working with a team that can map regulatory obligations, trade relationships and other factors affecting foreign counterparties; monitor counterparties' local political and economic environments; and trying to anticipate how local governments and regulators view the relationship, at a time when national security vetting by entities such as the Committee on Foreign Investments in the United States (CFIUS) and similar agencies elsewhere is a growing concern.
“Surfacing geopolitical risks needs to happen earlier and earlier in the planning cycle of companies,” Lamb-Hale says, adding that chief risk officers “need to be at the planning table early,” along with the compliance and legal teams.
Deeper Due Diligence
The increasing instances of third-party risk requires gaining knowledge of business partners and customers as never before and a higher level of due diligence, Kroll says.
Due diligence including assessments of corporate partners revealed problematic social media activity for 32% of survey respondents, data breaches for 28%, insufficient compliance for 26%, and bribery and corruption for 23%.
The solution, says Steve Bock, global practice leader for Kroll's Compliance Risk & Diligence practice, is a new level of due diligence that includes not just legal and financial issues, but additional matters such as a potential partner's ownership structure, cash flows and cybersecurity and data privacy practices.
Reputational risk is a further consideration, requiring assessment of a third party's workplace conditions, social media activity, business practices, and the subject's own network of customer, supplier and lender relationships.
This requires creation of risk profiles for all third parties, often based on questionnaires, as well as a response mechanism that helps a corporation to respond quickly and effectively to adverse information, knowing under what conditions to rethink the situation, remediate, or quickly terminate the relationship.
Bock says that when third-party problems arise, the two most significant parameters to assess are the jurisdiction of the third party and the industry in which it operates. “Focus on these factors - where the highest risk parameters exist - to effectively address the issue,” he says.
According to Brill, the bottom-line message of the Kroll survey is that as the risk landscape grows ever more complex, “risk managers are central to the success of any organization, and they should never underestimate the importance of what they are doing” on behalf of their companies.
Katherine Heires is a freelance business journalist and founder of MediaKat llc.