Managers are in the midst of a perfect storm where a number of cyber issues need attention. Because digital technology is now integral to most companies’ activities, all board members need to possess digital savvy. This post is a first step in understanding some of the fundamentals.
Spencer Stuart, a global executive search firm, noted in a recent survey that top management teams are grappling with how to ensure that the risks and opportunities emerging from a diverse set of digital forces — ranging from artificial intelligence and robotics to cybersecurity, data science and e-commerce — are fully understood by top executives and factored into the business strategy and the discussion of what to publicly disclose and when.
IT governance includes oversight of both cybersecurity but also how technology can drive value for the firm. Given the responsibility of enterprise risk management, and the growing issue of cyber risk specifically, we will focus on likely types of cyber incidents and how the firm, its stakeholder and regulators regard their significance.
While digital innovations pose a real threat to business as we know it today, 61 percent of those who responded to the 2020 NACD survey report they would be willing to compromise on cybersecurity to achieve business objectives, while only 28 percent prioritize cybersecurity above all else. And, the pace at which digital innovation and diffusion is taking place is far faster than governments and regulators can keep up with. According to research by Arthur D. Little, in 2021, total damages from cyber incidents exceeded $1 trillion worldwide, up more than 50% from 2018 levels.
Cyber Incidents, Privacy and Security
A cyber incident is a violation of some aspect of the firm’s security policy (e.g. unauthorized access to personal information, improper use, storage or processing of data). Security is about protecting personal information (PI), while privacy is broader and encompasses the permission and use of personal information. Privacy is difficult to achieve without security. PI means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. For example, these include identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
However, my research suggests that organizations can successfully secure the personal information in their custody and still make bad decisions about how the personal information they have collected is subsequently used. Given the vast amount of personal information generated by millions of consumer transactions each day, there can be serious privacy problems resulting from the storage, analysis, use, or sharing of this information. The extensive use of increasingly more data—often personal, often sensitive—and the growing reliance on algorithms to analyze them in order to shape choices and to make decisions (i.e. artificial intelligence) are at the root of the harmful effects of collecting PI. What’s more, some experts believe there has been a gradual reduction of human involvement in these automatic processes and that they, too, pose pressing concerns about fairness, rights and responsibilities.
Still, there are also many benefits to collecting and using such information. For example, noted privacy researchers Kathleen Greenaway and Yolande Chan showed that an organization’s information privacy behaviors can help a firm achieve legitimacy and can provide a strategic advantage to an organization. Also, the vast amounts of information that can be mined may offer firms a new product line or service and, as a result, a new revenue stream.
Information reuse and unauthorized access
Let’s zero-in on a few key issues arising from the way organizations process PI: information reuse and unauthorized access to personal information. Typically, information reuse involves organizations making decisions about new uses for the PI they collect, while unauthorized access represents activities that violate either laws or corporate policies. Both activities – information reuse and unauthorized access – can potentially threaten a consumer’s ability to maintain a condition of limited access to his/her personal information, harm individuals, and subsequently threaten the organization’s legitimacy in its interactions with consumers, shareholders, and regulators.
Additionally, what starts out as authorized access can create privacy and security issues. PWC reports that 63% of all cyber-attacks could be traced either directly or indirectly to third parties, like application developers. And, these third parties often maintain less stringent security protocols, raise fewer suspicions and allow for easier identity masking — providing ideal points of entry for attackers looking to leverage unauthorized access.
Privacy Legislation – a Fragmented Landscape
While companies see the importance in collecting and analyzing the data of consumers, they also see the risks. Calls for better privacy protection face a daunting set of fragmented laws and regulations, which are often country specific, making it challenging for companies to comply. It’s helpful to focus on three key regions, the U.S., the E.U and Latin America as a basis for comparison.
In the United States, as of this writing, there is no federal level law covering consumer privacy rights. However, in June of 2022 a bi-partisan group in the U.S. Congress put forth a privacy bill designed to protect consumer PI.
At present, though, the U.S. Federal Trade Commission (FTC), which has responsibility for enforcing fair trade practices in privacy and data use, recommends that businesses offer consumers greater disclosure and simple opt-out tools. On June 28, 2018 the California State Legislature passed a law known as the California Consumer Privacy Act (CCPA), which went into effect January 1, 2020 and aims to provide Californian citizens and residents with more information about how companies collect their personal data, outlining several rights to PI. Fines are enforced by the California Attorney General and can reach up to $7,500 per violation (in the case of intentional violations). Non-intentional violations remain subject to a $2,500 maximum fine. Several other states in the U.S. are considering similar laws. India, China, Russia, Canada, and Brazil all adopted privacy laws in 2018.
Unlike the uncertainty of PI collection in the U.S., the European Union has recently placed strict regulations on businesses in regard to using big data. This law, called the General Data Protection Regulation (GDPR), prevents EU companies from collecting and processing any data that can be connected to an identifiable person without prior consent. In addition, individuals have the ability to block companies from collecting their data and using it for profiling purposes. Implemented in May of 2018, the GDPR has also imposed conditions on how the information is stored and for how long.
In fact, one of the key differences of the GDPR and the CCPA is the data collection consent aspect. GDPR specifically requires consumers to opt-in, or to consent to data collection before the site collects the data. The CCPA offers consumers only the right to opt-out, where companies make available information about how they collect, use, and share personal information and allow individuals to opt out if they desire. While there are pros and cons to each approach, experts generally agree that opt-in privacy rules create a greater sense of control over PI.
In Latin America, there are few reporting requirements for companies experiencing data breaches and these organizations do not face much by way of penalties for failing to protect consumers’ sensitive information. But the stakes are high, for example, Brazil has lost approximately $8 billion as the result of cybercrime but has not yet passed a general data protection law.
In the absence of any clear law, Latin American companies have been gradually incorporating disclosures on cybersecurity in their corporate annual reports on a voluntary basis based on the risk potential – either as an emerging risk or an operational risk. Further, risk management and data privacy have generated increased disclosure on cybersecurity, especially in the financial sector. At the same time, Latin American companies that participate as issuers in the US stock market must also report the risk factors related to cyber risk on a mandatory basis in the annual report according to SEC.
The next step is to consider how your board might respond to a cyber incident given this fragmented set of regulations.