Cyber-risk top concern for CEOs

Irish CEOs are becoming increasingly concerned about the dangers posed by cyber-risk and many are taking steps to mitigate the potential threat to the bottom line. 

Cyber-risk has moved up the corporate agenda, cited as the dominant risk facing business leaders this year in a new global CEO survey.

Forty-nine per cent of the respondents in PwC’s 25th Annual Global CEO Survey identified cyber-risk as their top concern, up from 47 percent and second place in the same survey last year.

Irish CEOs are even more concerned about cyber-risk than their global counterparts, the report has found, with 58 percent citing it as the top threat they face this year, compared to the global average of 49 percent.

For Pat Moran, Partner and Cybersecurity Lead at PwC Ireland, these findings are no surprise. 

When Moran joined PwC in 2016, his cybersecurity team had fewer than 10 people. Now, in response to rising demand from clients nationwide, the headcount has risen to more than 50.

“Cybersecurity is a major issue now, but that wasn’t always the case. I remember working for a bank back when I started my career. We would carry out technology audits and present our findings to the audit committee, but we were generally at the bottom of the agenda,” said Moran.

“Cyber-risk was seen as a very technical area; one that couldn’t really have any major impact on the wider organisation. These days, it’s very much the opposite. 

“Everyone wants to know about potential cyber-risks – the audit committee, the management team, the board of directors. Cyber-security is seen as a major business issue, and with good reason.”

The high-profile ransomware attack on the Health Services Executive (HSE) in 2021 had the effect of catapulting cybersecurity even further up the corporate agenda in Ireland.
“The HSE incident was a major wake-up call for all organisations in Ireland in both the public and private sector,” said Moran.

“It caused unprecedented disruption and people realised that, if something like this could happen to a critical public service like healthcare, it could happen to anyone. That was when the penny really dropped and organisations in Ireland started to sit up and think seriously about cyber-risk.”

Eight-two percent of CEOs in Ireland have factored cyber-risks – including hacking, surveillance and misinformation – into their strategic risk management, according to PwC’s Annual Global CEO Survey.

As Moran sees it, however, many are still unprepared for a potential cyber-breach and have yet to put systems in place to ensure business continuity and recovery.

“The HSE attack really showed, not just the financial risk associated with a cyber-breach, but also the potential risk to an organisation’s reputation,” he said.

“Dealing with a cyber-attack can be a nerve-racking experience. Just this week, I got a call from a client hit by a ransomware attack and they were really panicked. 

“They weren’t sure what their next steps should be; how they should communicate the incident internally; who they should contact outside the organisation. They hadn’t figured out the chain of communication, and that really added to the upheaval they were facing.”

Moran advised CEOs and management teams to examine the response from Paul Reid, CEO of the Health Service Executive, to the ransomware attack on the HSE to help formulate their own response strategy in the event of a similar cyber-attack on their organisation.

“Paul Reid was out there front-and-centre, supporting the HSE messages going to the public and the media. That really helped to mitigate some of the impact,” said Moran.

“The number of organisations reliant on their online presence and ability to do business online increased dramatically during the pandemic, and consumers and clients can be quite unforgiving when it comes to data breaches, in particular.

“They get understandably nervous when an organisation with access to their data is compromised. The question is: ‘If security is an issue here, do I really want to be a customer?’” 

How organisations communicate in the event of a data breach is, therefore, critically important, according to Moran. 

“I think CEOs and boards do now understand that a cyber-incident or attack doesn’t just impact one part of an organisation. It impacts all parts of the organisation,” he said.

“It impacts every employee. It impacts customers and suppliers. It impacts the leadership and the board and they need to play a really prominent role in any recovery from a major incident, and in planning for that recovery – not just in prevention.”

The HSE attack was traced back to Conti, a ransomware group thought to be based primarily in Russia, which has since signalled its support for Russian President Vladimir Putin’s assault on Ukraine. So, what does this mean for the global cyberthreat landscape in 2022?

“There is now an increased risk that there will be more cyberthreats and attacks coming from Russia,” said Moran.

“Richard Browne, the Director of the National Cyber Security Centre, has advised that organisations be vigilant and monitor their networks for potential vulnerabilities, phishing or denial-of-service attacks. 

“Speaking to our own US colleagues at PwC, there is definitely an expectation that we will see more attacks. Our guidance to clients is to increase monitoring activity and rehearse their incident response, so that – in the event of something happening – they can respond quickly, and people know in advance what their roles and responsibilities will be.”