Cybersecurity No Longer Restricted To Standard ICT Domain: CII-KPMG Report
Cybersecurity is no longer restricted to standard ICT domains and encompasses multiple areas of an organisation, including but not limited to human resources, supply chain management, administration and infrastructure and therefore requires governance at the highest levels. These observations are highlighted in CII-KPMG’s report titled ‘De-risking India in the new age of technology’.
The paper launched on Monday at the 2nd CII National Risk Summit 2016 – DeRisking India Inc for Global Competitiveness, suggests that cybersecurity has started gaining visibility at the top level and is now an essential part of the boardroom discussion.
Regulators are increasingly holding board members and senior executives of a company accountable for cybersecurity of their company, often with stiff penalties, including but not limited to, heavy fines and legal consequences. The leadership level, therefore, needs to be aware of the internal and external cyber threats and incidents that can or are affecting their organizations. The various chapters in the report highlight the potential of adopting stronger policies, implementing stricter controls, regulatory compliance, increasing employee awareness and taking the necessary actions to mitigate risk. These refer to several challenges that India Inc. may encounter in the near future and proposing different ways in which the risks arising out of the business environment can be suitably managed.
Richard Rekhy, Chief Executive Officer, KPMG in India said, “It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust. It would also help accentuate the growth with strong processes in place. Managing risks and aligning it with all key stakeholders must be on top of every board’s agenda.”
Mritunjay Kapur, Partner and Head, Risk Consulting, KPMG in India, said, “From drones to smart offices, new age technologies have not only transformed the traditional way of doing business but have also given way to unforeseen risks that can lead to serious consequences, if they go unmanaged. It is imperative to understand the ramifications of such transformational technologies and design appropriate risk management strategies to de-risk our environment. This whitepaper is our first step to de-risk India. We explore the challenges that organisations face and then suggest the better risk management practices that can be followed in an accelerated environment of cognitive technologies to harness an organization’s potential to the fullest to balance the risks and opportunities.”
Some of the key de-risking observations presented in the paper are as follows:
• An organisation cannot rely solely on technical controls to avert a cyber-incident. It needs a combination of the right people, processes and technology to prevent such incidents.
• Companies should develop a compliance checklist to ensure compliance and obtain management/process owner sign-offs.
• Banks must have a risk management framework to not only mitigate pillar 1 risks such as credit, market and operational, but also have a framework to deal with other significant risks such as strategic/business risk, compliance risk, reputation risk, etc. to enable them to stay competitive with the changes in the banking environment.
• Robotics and cognitive technologies not only support in managing the risks for an organisation, but can help eliminate potential operational risks. The new-age disruptive technologies bring much needed controls within an organisation.
• While technology is expected to play a great role in fraud detection, the continuing effectiveness of technology-based fraud detection systems largely depends on fraud risk intelligence configured on the detection systems. The higher the false positive alerts generated by the tool, the lower the reliance on the outcome.
• Apart from the clear advantage of avoiding legal and regulatory penalties and complications, effective regulatory and compliance risk management can enable companies to be a differentiator in the market by infusing confidence in existing and prospective customers or stakeholders.