From CompliNEWS | Financial Service Intelligence Watch

Complacency on cyber threats is a compliance disaster waiting to happen

Compli-Serve SA

The work-from-home revolution has largely shifted to a hybrid model. Going into the office is the norm again for many. While compliance around Covid-19 safety regulations has relaxed, complacency at work may have crept in on some crucial factors for business to continue safely and securely. But complacency on cyber threats could be a disaster waiting to happen.

The World Economic Forum cites cyber risk as ‘the most immediate and financially material sustainability risk that organisations face today’. We are also starting to see regulators take note of those who aren’t prioritising cyber safety.

In Australia, a licensee in the financial services sector was the first to be taken to task by the Australian Securities and Investments Commission earlier this year, for breaching its license obligations. The breach related to failing to manage cybersecurity risks and while the ruling judge acknowledged it’s not possible to reduce cybersecurity risks entirely, it is possible to reduce some risk through putting adequate controls and documentation in place. This should be the standard.

Any business can be at risk

Any organisation’s risk management framework should account for cybersecurity risk across the digital supply chain within a business. By ignoring this, you could be seen as non-compliant.

To simplify what best practice in compliance is becoming, would be moving from tick-box to proving you did everything you could to avoid risks arising. What has happened in Australia is a good example of the consequences of ignoring best practice.

Assessing where your business is digitally vulnerable should be done on an ongoing basis. Cyber resilience should be the constant priority.

Incident response- and business continuity plans are paramount to being prepared in the event of a cybersecurity incident. If something does go wrong and a breach occurs, it’s important to disclose it to relevant parties as soon as possible, as well as to note it in any annual operational or financial reports. A record of any near-cyber incidents will also help to prove you are managing compliance responsibilities.

There should be very clear processes in place as to the expectations for all within an organisation, including sharing and storing sensitive data. A regular refresher on this is advised as bad habits and human error can creep in – which is even more likely in adjusting to hybrid work schedules.

More technology, less problems? Definitely not.

Through the global adoption of technology and digital transformation, as hybrid working takes over, new challenges have changed how we approach compliance. In the 2022 Reuters Cost of Compliance report, an alarming insight was the perception by some that increased technology meant reduced compliance requirements – when it can be quite the opposite, particularly as cybercrime risk intensifies.

Global cybercrime is predicted to reach $10.5 trillion per year by 2025, according to Cybercrime Magazine, an authority on global cyber statistics. Cybercrime density is another clue as to the risks we are really facing.

According to Surfshark, the Netherlands-based virtual private network (VPN), South Africa is number six out of the top ten countries with the highest cybercrime density. This means a high percentage of cyber victims per one million internet users. Poor knowledge around cyber safety was noted as a possible reason for making the list.

The Cybersecurity Bill and draft regulations are firmly on the agenda for South African government to finalise, as the battle for data privacy continues. With the hybrid working world set to stay, avoiding complacency on cyber threats is crucial. Prioritise strong compliance oversight, accountability and cybersecurity controls. This process will play a large part in keeping the lights on for business.