CYBERSECURITY

More documents

Recommendations

Info

THE RESPONSE In response to the increasing level of cybersecurity risk, governments, regulators and company board members around the world are heightening their focus on knowledge and defences. Government action At a government level, spending has been increased to strengthen internal security architectures, while regulatory oversight has been enhanced to protect public and private sector entities. The US federal government has been particularly proactive in these efforts, with President Obama’s budget for the fiscal year 2017 calling for $19 billion to be invested specifically in technology to protect high value assets as well as cybersecurity recruiting talent. 13 This represents a 36% increase year-on-year in Federal resources for cybersecurity. US FEDERAL SPENDING IN <strong>CYBERSECURITY</strong> ($ BILLIONS) 20 18 $19.0 Investments ($ Billions) 16 14 12 10 8 6 4 2 0 $5.5 2006 $5.9 2007 $6.2 2008 $6.8 2009 $12.0 2010 $13.3 2011 $14.6 2012 $10.3 2013 $12.7 2014 $12.7 2015 $14.0 2016e 2017e Source: FISMA Annual Report to Congress, whitehouse.gov Outside of the US, the UK government has also increased its proposed level of spending on cybersecurity defences, setting aside £3.2bn for investments over the next four years, double the level previously. 14 The European Union has also increased its level of spending, as well as launching a cross-border research effort between member nations, in which it has provided €500 million of funding and is seeking a further €1.5 billion from industry. 15 Regulators are also beginning proactively to address cyber risk. In the US, the Cybersecurity Act 2015 was signed into law in December 2015, a voluntary standard which is being adopted by companies to share information surrounding cyber-attacks and ultimately form a collaborative effort to improve cybersecurity intelligence. 16 In Europe, the European General Data Protection Regulation was adopted in 2016, which imposes strict requirements on data breach notification and imposes fines on companies that fail to protect data or notify regulators of a breach. 17 In addition, there has been greater cooperation between countries in combatting cybersecurity risks. For instance, in November 2015, US President Obama and China President Xi Jinping agreed not to conduct or knowingly support cyber-related attacks for the purpose of corporate espionage. 18 However, while this is a progressive step, it is unlikely that these initiatives will prevent future cyber-attacks on public or private sector entities. 13 The White House, 2016, ‘FACT SHEET: Cybersecurity National Action Plan’, February 9, 2016. https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheetcybersecurity-national-action-plan 14 E-Hacking, 2016, ‘UK Government will Spend £1.9bn on Cyber Security’, March 5 2016. http://www.ehacking.net/2016/03/uk-government-will-spend-19bn-on-cyber.html 15 PC World, 2016, ‘EU Plans $2b Investment in Cybersecurity Research’, July 5 2016. http://www.pcworld.com/article/3091708/eu-plans-2b-investment-incybersecurity-research.html 16 White House, 2016, ‘FACT SHEET: Cybersecurity National Action Plan’, February 9 2016. https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheetcybersecurity-national-action-plan 17 Allen & Overy, 2016. ‘The EU General Data Protection Regulation’ 18 CNBC, 2015, ‘US-China Agree to not Conduct Cybertheft of Intellectual Property’, September 25 2015. http://www.cnbc.com/2015/09/25/ 10 Amity Insight September 2016
BOARD ACTION With greater frequency and larger costs, investors and regulators are increasingly challenging boards to step up their oversight of cybersecurity. Indeed, the World Economic Forum (WEF) lists cyberattacks as one of the biggest global risks facing businesses around the world, ranked higher than food crises, interstate conflict and terrorist attacks. 19 As a result, cybersecurity should sit within the oversight role of the Board. According to law-firm Slaughter and May, who published a report detailing their engagement with the top 350 UK listed companies on cyber security threats, 75% of audit chairs felt their Board took cyber risk very seriously and 88% of respondents now include cyber risk on their risk registers (up from 58% in 2013). 20 This suggests there is an increased level of engagement with the issue as a business rather than a pure technology risk. However, even when discussed at Board level, the time devoted to the topic can be quite small as shown by the PwC Annual Corporate Director’s survey. 21 % OF TOTAL ANNUAL BOARD/COMMITTEE HOURS SPENT DISCUSSING OVERSIGHT OF I.T. RISKS & OPPORTUNITIES 45 40 35 30 25 20 15 10 5 0 2012 2015 40 39 37 31 16 14 3 4 2 1 1 2 5% or less 6% to 10% 11% to 20% 21% to 30% More than 30% None Source: PwC Annual Corporate Director’s Survey 2015, 2012 As the cybersecurity landscape evolves, companies and their directors are likely to face increasing scrutiny. Ownership of cyber security has started to shift from the Head of I.T. to the CIO or the CEO and some companies have implemented Board training on cybersecurity risks at an executive level and appointed Chief Security Officers. Slaughter & May (2015) found that 48% of audit chairs had undertaken some form of cybersecurity training in the prior twelve month period. 19 World Economic Forum (2016), The Global Risks Report 2016: 11th Edition 20 Slaughter & May (2015) Cyber Security – Corporate Insights for Companies and Their Directors, March 2015. https://www.slaughterandmay.com/media/2478522/ cyber-security-corporate-insights-for-companies-and-their-directors.pdf 21 PWC, 2015, ‘Annual Corporate Directors Survey’. http://www.pwc.com/us/en/governance-insights-center/annual-corporate-directors-survey/assets/pwc-2015- annual-corporate-directors-survey.pdf Amity Insight September 2016 11
Page 1 and 2: edentree investment management AMIT
Page 3 and 4: THE ORIGIN AND EVOLUTION OF CYBER T
Page 5 and 6: “ The likely annual cost to the g
Page 7 and 8: PER CAPITA COST BY INDUSTRY ($USD)
Page 9: Evolving motivations The motivation
Page 13 and 14: OTHER IMPLICATIONS Cyber insurance
Page 15 and 16: TOP TEN PUBLIC SECURITY SOFTWARE VE
Page 17 and 18: VIEW FROM THE TOP “ Neville White
Page 19 and 20: Amity Insight September 2016 19

CYBERSECURITY

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?