The National Payments Corporation of India (NPCI) was compelled to put out a notice that Unified Payments Interface (UPI), Immediate Payment Service (IMPS) and other payment systems of banks serviced by C-Edge would be temporarily unavailable.
This malware breach once again brought to light the fact that it’s no longer a question of if a cyber-attack will happen, but when.With cyber attacks increasing in both frequency and intensity, the demand for cybersecurity is on the rise and it is the chief executive officer (CEO), not chief information officer (CIO), on the hot seat, answering questions such as:
Can you say for certain that we aren’t under cyber attack right now? If we are being hacked, how safe is our most valuable data? Is the organization prepared if our systems go down for an extended time? What is your best estimate of the impact on our finances, investors and customers?
According to BCG estimates, cybercrime costs the global economy at least $2 trillion a year. India emerged as the second most targeted nation in APAC, with 2,138 weekly attacks per organization, trailing only behind Taiwan’s 3,050 incidents in 2023, as per a CheckPoint report.
The impact of cybercrime on Indian Financial Institutions is estimated at ₹1.67 trillion over two decades. Little wonder then that every CEO is expected to take direct responsibility for protecting the company against cybercrime and be accountable to regulators, the investing public, the board and other stakeholders. So, what just got added to the CEO’s vigilance perimeter?
A broadening cyber battlefield: For years, the overwhelming majority of cybersecurity breaches have stemmed from organizational or human failure. This is still the case, but new tools are making phishing attacks—the oldest and most common hacking technique—easier, more effective, and less time-consuming to execute.
Further, with generative AI, infiltrators can create more realistic deepfake content, as evidenced by a recent scam reported at a Hong Kong bank where an entire meeting was faked and $25.6 million was stolen.
Threats to digital transformation: Companies that are going through a digital transformation are vulnerable. They have to manage two types of technologies—their legacy IT and solutions and those they are migrating to. These transitions create openings for hackers to exploit.
Third-party vendor risk: Companies are increasingly becoming perimeter-free, expanding the number and type of third-party vendors they work with, and their supply chains are becoming more complex. Each additional link to a third party presents a potential window into a company’s network.
Intensifying regulatory oversight: Regulators across the globe, especially in the US and Europe, are imposing a greater legal onus on CEOs to ensure that companies have robust cybersecurity risk-management procedures, controls and governance in place.
Government watchdogs also insist that companies be more transparent about breaches and their consequences. It is a matter of time before Indian regulators also follow suit and even lead. Every CEO has to craft her own Cyber-Ready Playbook to stay ahead of the curve.
Four key actionable areas:
Quantify the risk: It is the job of the CEO to quantify every risk; cyber-risk is as real as any other financial risk. The CEO must mandate the chief revenue officer (CRO) to quantify, track and mitigate this risk.
This should apply to digital transformation projects and third-party integration as well. Similarly, risk must be monitored with routine vigilance both on and off the system. For example, social media posts, customer service complaints, etc.
Shore up the workforce: The critical lack of cybersecurity professionals is making companies vulnerable to online criminals. The World Economic Forum estimates a skill gap of 4 million people in cybersecurity.
CEOs must train their lens on investing in the right talent and prevent internal employees from inadvertently creating cyber threats.
Invest in technology resilience: A security breach happens when least expected. Hackers with ‘nuisance value’ have all the time and resources to prey upon vulnerable moments. The CEO, however, has to work on zero response time once an attack is confirmed.
Investment in technology to systematically detect and monitor cyber intrusions and develop a playbook to build automated responses linked to a command centre is key. This ‘triaging and escalation’ system must advise appropriate responses, so that the system becomes self-healing.
Collaborate and lobby together: As a CEO, you don’t have to fight this battle against cyber warfare alone. Our recommendation is to seek help from experts in the field and collaborate with other CEOs and influence regulation, so that cyber attacks are penalized and the government sets up an active task force to fight them.
Cybersecurity is a humongous war that we can only win collaboratively.
The authors are, respectively, platinion managing director; managing director and partner; managing director and senior partner; and global leader fintech as well as India head financial institutions, BCG
#practitioners #playbook #cyberready #CEO #tame #humongous #threat
