Cyber risk governance must take centre stage at companies

THE digital revolution has heralded great benefits, but the scourge of cyber crime is growing apace. Cyber crime has been estimated to cost the global economy over US$450 billion a year. Last year, over two billion personal records were stolen. The Asia-Pacific, in particular, would seem to be acutely unprepared.

According to the Microsoft Malware Index 2016, of the top five countries most vulnerable to malware attacks, four are in the region - Pakistan, Indonesia, Bangladesh and Nepal. While Singapore may be some paces ahead - it is, after all, driving significant investments in cyber security - it is vulnerable as well. A 2016 survey of Singapore companies by PwC named cyber crime as the second most pervasive economic crime, after asset misappropriation. Cyber incidents have risen sharply: 43 per cent of respondents were hit in 2016 compared to 15 per cent in 2014. Direct losses reported by companies ranged between US$100,000 and US$1 million.

Shareholders lose as well. Just this year, CGI, an IT and business service provider, released a study on the link between cyber breaches and company value. It found that UK-listed companies that experience a severe cyber breach see their share value fall by an average of 1.8 per cent on a permanent basis. This means investors in a typical FTSE 100 firm are worse off by an average of £120 million (S$215 million). The analysis also suggests that the negative impact on share value is getting more severe. Already, both S&P and Moody's have warned that cyber risks could impact credit ratings. As the threat of cyber attacks rises, says Moody's, "the credit implications associated with cyber defence, detection, prevention and response should start to take a higher priority within our credit assessments and analysis".