Cyber fraud issue enters boardroom as prevalence rises
Half of Irish chief executives see cyber security as a leading risk to business
The growth of cyber security as a concern is having an impact on corporate acquisitions.
If there is any upside to cyber fraud, it can only be that its growing prevalence has brought technology to the top table.
“We are seeing a shift among clients in relation to this in so far as, even just a couple of years ago, cyber security was seen as an IT issue, now it is very much moving centre stage as a business issue and one that is receiving more emphasis from board level down,” says Michael Daughton, partner risk consulting at KPMG Ireland.
“It is also moving higher on the radar in terms of client priorities. A recent survey we undertook found that half of Irish CEOs see cyber security as one of the top risks facing their organisation.”
It is now very much a governance issue, a trend that will only increase, given the advent of new European Union data-protection requirements, he says.
Due to be in place in May 2018, the EU’s General Data Protection Regulations will give people more control over their personal data and make it easier to access it. They are designed to make sure that people’s personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.
“It raises the bar in terms of what companies need to be doing in relation to the management of data, and clearly cyber risk is a big part of that. With legal implications facing businesses the new data-protection requirements will bring a whole new level of accountability requirements to businesses and you will have to demonstrate that you are compliant,” says Daughton.
The growth of cyber security as a concern is having an impact on corporate acquisitions too, with a KPMG survey finding 80 per cent of global investors would, if they found a company they were interested in acquiring had a cyber breach or a loss of data, change their view about the deal.
But cyber risk is having an impact on the corporate finance landscape in other ways too. For a start, the outlook for companies providing security products is increasingly rosy. “In a transaction environment, there are going to be lots of businesses creating opportunities by being the security part of cyber security.” says Eamonn Hayes of Capnua, a corporate finance advisory firm.
“At every level, the opportunities for security businesses are enormous because it’s an offering that is likely to be globally applicable, highly scalable and with huge market opportunities. People who are developing businesses in this sector will find raising capital relatively easy because of the enormous unmet need,” says Hayes.
It’s a need that extends beyond obvious targets for fraud such as banks and other financial institutions, to the most modest of SMEs.
“What’s more, cyber-security solutions are close to representing a permanent opportunity because the nature of cyber risk is such that it is ever changing, and so cyber security will have to be ever changing too.”
The increased regulatory environment will also drive change, and therefore new business opportunities, in the sector.
“There is going to be a lot of opportunity for businesses selling not just to large, enterprise-level businesses, but the SME market too. The fact is, we all use our credit cards everywhere now, so it’s not just big companies that are at risk. Small and medium-sized businesses are going to require increasing capability in terms of protecting client info. The threat is as real for small businesses now as it is for large ones.”
He too believes this will have a bearing on deal flow. “When it comes to selling a business, if you are selling one that holds lots of client data, the integrity of your systems is a factor and will increasingly be an aspect of due diligence that is examined,” says Hayes.
The proliferation of “spear-phishing” attacks – where a business receives a highly personalised, and plausible, request for payment – and ransomware, which closes down a computer system until a payment is made, has moved the topic from the theoretical to the uncomfortably real.
“We’re seeing a growing awareness that this is a real threat and no longer an academic topic,” says Brían Gartlan, a partner at BDO Ireland and head of its risk and advisory services team.
If there is a silver lining to such attacks, it is that they alert business owners to the reality of the cyber threat, helping avert “what could be a much bigger problem next time”, he says.
In particular it alerts organisations to the fact that hackers could also be gaining access to their data in a way that leaves no trace. “For organisations that hold a lot of valuable intellectual property for example, there’s a realisation that perhaps they’ve been leaving the back door wide open. In such cases, having a smaller attack may be a blessing in disguise, if encourages them to face up to their risk and the need to have strong controls in place,” says Gartlan.
Risk assessment key to protection
“There is an asymmetry to cyber security risk in so far as, you can put a huge effort into protecting your organisation, and still never know if it is enough,” says Brían Gartlan of BDO Ireland. A very real risk therefore is that a business may be put off addressing the issue at all. That would be “foolish”, he says.
The first step to take is in relation to training. “The biggest risk is still people, so train them to be careful and sensible,” says Gartlan.
Then do a risk assessment of your systems, data and networks. “Find out what you can do, establish what you can spend, and then prioritise which you are going to do first,” he says.
Even for organisations that would never have thought themselves as being at risk, such as healthcare providers, cyber security is “not a hypothetical issue any more – it is ubiquitous”.
From a corporate finance perspective, it is ever more likely to be a central part of the due-diligence process for investors and businesses on the acquisitions trail. “Increasingly they will want to establish whether or not the business they are buying could ultimately cause them reputational damage.”