A brief history of cybercrime
Cybercrime is defined as illegal activity conducted on a computer and generally includes; phishing, ransomware, malware, identity theft and online scams.
Conversely, Cyber Security means the techniques of protecting computers, networks, programs and data from unauthorised access or cyber-attacks by cybercriminals, terrorist groups, hackers, hacktivists and governments.
The first recorded cybercrime occurred in the 1970s and since then has grown at an exponential rate since then, with major data breaches, fuelling the meteoric increase in fraud and other financial crimes.
What is the impact of cybercrime on the world economy?
According to the Hiscox Cyber Readiness Report, published in February 2018, following a survey of 4,100 executives concluded that “cybercrime costs the global economy over USD$450 billion with over 2 billion personal records stolen”. The report found that 53% of companies assessed were ill-prepared to deal with an attack, and just 30% per rated ‘expert’ in their overall cyber readiness.
The key observations made in this report were:
- 7 out of 10 organisations fail the cyber-readiness test – 73% assessed as ‘novices’
- 66% rank cyber threads alongside fraud as the top risks to their business
- Smaller firms lack the resources and devote a smaller proportion of IT budgets to cyber
- 45% of 4,103 organisations surveyed were hit with at least 1 cyber-attack in the last year
- The average cost of cybercrime on those impacted was $229,000
- 59% of respondents expect cybersecurity spending to rise significantly in the next year
- Rise in demand for cyber insurance following tough penalties for loss of personal data under the EU’s General Data Protection Regulation (GDPR)
For more information on Cyber Security and Data Risk Management visit our resource centre
What can you do to build resilience against cyber and data risk threats?
It is essential that organisations develop effective cyber and data risk management programs that can help them to combat the increasing volume and sophistication of cyber attacks perpetrated by cybercriminals, hacktivists and other hackers.
There are six key steps that organisations can take towards maturing cyber and data risk management programs:
Clearly define context, scope and priorities
Firstly, it is important to define the organisations internal context to understand its business objectives, priorities and overall approach to risk management. It is also important to understand the external content of the business for example, industry sector, size and complexity of the organisation and the commercial and regulatory environment in which it operates to determine scope and priorities.
Perform a current state assessment
Next, it is important to understand the cyber, data privacy and data protection obligations that the organization is expected to comply with and perform a gap-assessment by mapping any policies, procedures and controls against these obligations and where these exist performing control testing to examine the design and operational effectiveness (as well as, the maturity) of these controls.
Conducting a risk assessment
Next organisations should conduct a cyber security and data risk assessment in the broader context of the organisations overall risk management process to identify potential risks and threats, essentially to determine the likelihood and potential impact and then examine the existence and effectiveness of any controls that have been implemented to reduce the overall residual risk exposure.
Build an effective cyber and data risk management program
Having understood the organisations level of compliance against cyber, data privacy and data protection obligations, it is important to then develop a robust and pragmatic cyber and data risk management program to meet the organisation’s needs based on the nature, size and complexity of the organisation and an understanding of the main risks and threats identified during the risk assessment.
Determine and prioritise gaps
By assessing the organisations risks and threats, as well as, its current levels of maturity, it is then important to determine any gaps and then create a prioritised action plan outlining the key initiatives, resource requirements and timeframes by which these gaps can be addressed to meet the desired target state.
Implement the action plan
The final stage in the process is to track and monitor the agreed actions that will be taken to mature the organisations cyber and data risk management program and to measure and report progress against committed actions.
What solutions do we offer?
Arctic Intelligence is a RegTech business that enables audit, risk and compliance ‘as-a-service’ through technology allowing our solutions to guide you to compliance.
Most cyber, data protection and privacy laws, such as GDPR and BCBS239 require organisations to have effective risk assessment and management programs in place in order to demonstrate compliance against these laws and standards.
Adopting a risk-based approach has the following benefits:
- Identify and assess risks – in terms of the likelihood and potential impacts
- Mitigate and manage risks – by implementing proportionate and appropriate controls
- Identify gaps and opportunities for improvement – prioritise actions and develop plans
- Demonstrate effective risk management – to key internal and external stakeholders
Conducting risk assessments and identifying controls that can mitigate and manage these risks continues to provide significant challenges to many regulated businesses, which led to our focus on our risk assessment platform.
The Risk Assessment Platform is designed to help you to identify, assess, mitigate and manage risks for cyber security, data protection and data privacy.
The platform is highly configurable allowing you either purchase a content library or to create or upload your own risks and controls, as well as, change the risk methodology and risk weightings across the model and align the assessment to your risk management framework.
Data Risk Management Program Manual
Having completed the cyber and data risk assessment, you should create and maintain a Data Risk Management Program Manual documenting the systems, procedures and controls that you have in place to mitigate and manage the identified risks.
Documenting an Data Risk Program Manual that is appropriate and proportionate to your risks, as well as containing all of the expected sections and content, to the level of detail expected by domestic and international regulators often presents a significant challenge for regulated businesses, which is why we developed the Data Risk Management Program Manual.
Our Data Risk Management Health Check platform also contains a Data Risk Management Program Manual based on international best practice, which can be tailored to suit your organisations specific circumstances.
Regulated businesses are required to conduct induction and ongoing money laundering and terrorism financing risk awareness training for employees, which may vary depending on their role within your organisation.
It is also expected that you maintain training records to demonstrate that training has occurred and where appropriate, that required competency levels have been met.
Arctic Intelligence has partnered with GRC Solutions, the recognised leader in the online compliance education market in the Asia Pacific region to offer access to first-class and affordable online financial crime, risk management and compliance training through the SALT Compliance e-Learning Library.
For the full range of Anti-Money Laundering and other compliance courses:
In order to determine whether the Data Risk Management Program is effective in managing your organisations cyber, data protection and data privacy risk exposure it is important to conduct regular independent reviews to determine whether the control framework is fit-for-purpose and operating effectively. It is also important to identify any compliance gaps and opportunities for improvement and document key findings and observations, as well as, management actions to address deficiencies.
The Data Risk Management Health Check solution is an online platform dedicated to controls assurance and provides a structured framework for conducting independent reviews to assess the design and operational effectiveness of cyber security and data protection/data privacy programs.
The Data Risk Management Health Check is aligned to different standards (or you can import your own obligation registers and control libraries), which reflects international good practice and is applicable across all jurisdictions, and to small, medium and large organisations in all sectors, and type; including public, private and not-for-profit sectors.
The Data Risk Management Health Check is typically used to perform:
- An internal self-assessment against regulatory obligations;
- An assessment of a third-party for due diligence purposes;
- Independent reviews by internal audit functions of major reporting entities;
- Independent reviews / gap assessments performed by consultants; and
- Remediation programs to track improvements against regulations.
The Data Risk Management Health Check platform has been designed to leverage best practices in risk management controls assurance and was built based on a logical hierarchy that links rules and obligations, with policies, risks and controls and provides a means of assessing compliance against obligations, prioritising responses, providing auditor comments and management responses, as well as, assigning actions and attaching documentary evidence to support audit findings.
After the assessment has been completed for each compliance obligation users can create executive summary reports directly from the platform, highlighting the key observations, findings and recommendations, as well as, actions, issues and risks identified during the review process.
The Data Risk Management Health Check platform also contains rich data analytics that provide actionable business intelligence including; real-time operational dashboards for tracking open and outstanding actions, issues and risks; interactive reports which can slice and dice audit data in many ways including, drilling into particular areas of interest, as well as, benchmarking audit outcomes across different timeframes, divisions and countries, it can even summarise on a single page the compliance status across hundreds of compliance obligations.