Cyber Volatility: How Regulators and Banks Are Responding to a Surge in Cybercrime

Every year, cybercrime becomes cheaper, easier, and faster, making a variety of companies - including banks - more vulnerable to attacks than ever before. Damages from cybercrime are projected to reach $6 trillion, annually, by 2021. In response, banks are spending hundreds of billions of dollars on cybersecurity, and regulators have, understandably, turned up the heat.

In the U.S, federal regulators have significantly escalated penalties related to cybersecurity and data privacy. Over the past couple of years, a host of regulators - such as the Federal Trade Commission, Federal Communications Commission, Securities and Exchange Commission (SEC) and Department of Health and Human Services - have issued fines ranging from $25 million to $5 billion.

The shifting regulatory landscape coincides with economic and technological changes that are helping a new cybersecurity dynamic take hold in boardrooms and C-suites around the world and across every industry. Corporate cybersecurity leadership today must start at the senior-most levels - with boards, enterprise risk executives and CEOs.

Indeed, board members now have a regulatory obligation to understand their companies' cyber risks and to take proactive steps to mitigate them. Management and the board, moreover, must perform regular financial assessments and provide advance disclosures to shareholders on all potential cyber risks.

While this reality creates new pressures for CEOs and other executives, it also provides opportunities for firms that build cyber-aware cultures to differentiate themselves from competitors and gain a competitive advantage.

This represents a dramatic break from the past. CEOs used to rely on their CTO, CIO or CISO for everything cybersecurity-related. What's more, just five years ago, cybersecurity measures at many companies were limited to basic processes, such as requiring complicated passwords and changing them regularly.

Since then, there has been a global proliferation of smartphones, which people are increasingly using for financial transactions and other sensitive functions. Today, in fact, at least three billion people (more than 40 percent of the global population) use smartphones.

Moreover, the potential “cyberattack surface” has been amplified by the Internet of Things (IoT), according to the World Economic Forum (WEF). “It is estimated that there are already over 21 billion IoT devices worldwide, and their number will double by 2025. Attacks on IoT devices increased by more than 300% in the first half of 2019 … and the risk of IoT devices being used as intermediaries is expected to increase,” the WEF opined in a recent report.

Evolving Regulation: Past, Present and Future

Through this digital transition, cyber risk regulations and expectations have exploded in scale and rigor. Up until a few years ago, the SEC's approach had focused on public companies' obligation to disclose cybersecurity risks - mostly through post-incident reporting. However, in February 2018, it strengthened its stance to require that board members and the C-suite take more direct responsibility for their companies' cyber risks.

Under this guidance, board members are obligated to understand their companies' cyber risks and take proactive steps to mitigate them. Management and the board are also now required to make regular financial assessments and advance disclosures related to all potential cyber risks.

The SEC's guidelines were intended, in part, to help companies better understand the economic implications associated with relevant cyber events and to better communicate metrics about their cyber exposures to internal and external stakeholders. But they also enabled companies to further integrate cybersecurity risk into their enterprise risk management program, and to optimize cybersecurity with a focus on return on investment (or business enablement).

As previously noted, companies that have suffered cyber breaches have faced stiff punishment from regulators. But the penalties we've seen so far are just the beginning. In the coming years, we can expect the SEC's interpretive guidance to result in increased scrutiny and accountability around accurately disclosing cyber risk to shareholders.

Across the regulatory landscape, we can expect more material monetary fines and more enforcement orders - potentially causing greater reputational damage for financial institutions. In the U.S., regulatory scrutiny is being heightened at both the federal and state levels. States like New York, for example, have already begun to implement their own cybersecurity-related penalties.

Cyber Roles: From the Board to the CEO and CRO

Given this environment, it is vital for board members and enterprise risk executives - such as CEOs, CFOs, CCOs and chief risk officers (CROs) - to be key cogs of the cybersecurity team; otherwise, they put themselves and their employer at significant risk. Indeed, they serve themselves, their shareholders and their employees best when they leverage their leadership roles to rally resources, direct attention and provide cyber guidance across the enterprise.

Boards' big-picture responsibilities give them a uniquely holistic perspective to reduce silos, focus resources, manage risks and drive investment.

For savvy companies, new regulations reinforce good behavior already happening across industries. For instance, many CEOs already understand that you cannot manage what you can't measure. They recognize the imperative to understand their companies' cyber crown jewels - such as customer data, proprietary information and mission-critical business processes linked to IT. What's more, they realize that those assets must be protected from business interruptions that could potentially be caused by cyber adversaries, ranging from criminal organizations to nation states.

Building a Culture of Cyber Awareness

Whether board involvement means a new level of focus on cybersecurity or only more oversight, it tends to come with new resources. As cybersecurity has risen to the top of senior business leaders' priority list, spending has followed: global cybersecurity spending is expected to reach $173 billion this year and grow to $270 billion by 2026.

When directed wisely, this investment is going toward essential defensive measures that constitute good “cyber hygiene” and reinforce a strong cyber culture. This includes mastering basics - e.g., managing supply-chain exposure; integrating enterprise-wide security; maintaining basic technology hygiene; identifying and containing material cyber events; performing regular risk assessment evaluations and exercises; and improving operational resilience and business enablement.

Doing these things well requires (1) deliberate, enterprise-wide attention to a culture of security and accountability; (2) deep expertise, deployed up and down the organization; and (3) a commitment to bringing in and nurturing the right talent.

Cyber threats can also be one of the most important risk factors to consider when conducting due diligence around acquisitions or partnerships. In fact, in one survey of dealmakers, 90 percent indicated cyber breaches could cut deal value and 83 percent said they could end a deal. That's why there are lessons in the SEC's 2018 cyber guidance for private companies, as well as public ones.

Parting Thoughts

Cyber exposure is a bottom-line and reputational disaster waiting to happen for senior leaders - and the customers and communities they serve.

Corporate governance on cybersecurity has entered a new era, which brings new opportunities and resources for business leaders. In today's environment, CEOs should expect their CFOs, CCOs, CROs and boards to be their toughest customers - as well as their biggest cybersecurity advocates.

To address these challenges and heightened expectations, companies should understand the material impact of key cyber events - including the cost to contain and recover from them. Furthermore, they must develop a plan for improving their cyber resilience over time, while managing their cyber risk exposure through business and economic lenses.

Christopher Hetner currently serves as both a special advisor of cyber risk to the National Association of Corporate Directors (NACD) and an expert advisor to the Institute for Defense Analyses (U.S. Department of the Treasury). Previously, he served as the senior cybersecurity advisor to the chair of the SEC. He can be reached at chetner10@gmail.com.