Organisational Resilience: Compliance Risk Strategy for 2023

5/5 (1)

5/5 (1)

There are a number of updates to regulations that will impact organisations in 2023. They will create new requirements for businesses to follow, new areas of risk, and more money and time spent adjusting to these changes.

Compliance strategies help cement trust in professional partnerships and vendor relationships. Whether organisations are trying to qualify for cyber insurance, or simply looking to obey the law and avoid fines, they are up against increasingly tough compliance measures. It is no longer sufficient to be compliant only once in a year, scramble in the two weeks before the audit, and then forget about it for the rest of the year.

What compliance tech trends should IT management adopt as they build and refine their technology roadmaps?  

Let’s look at some regulatory and technology trends.

Regulations to Watch

European Union Digital Operational Resilience Act (DORA). The EU is applying regulatory pressure on the financial services industry with its Digital Operational Resilience Act (DORA)DORA is a “game changer” that will push firms to fully understand how their IT, operational resilience, cyber and third-party risk management practices affect the resilience of their most critical functions as well as develop entirely new operational resilience capabilities.

One key element that DORA introduces is the Critical Third Party (CTP) oversight framework, expanding the scope of the financial services regulatory perimeter and granting the European Supervisory Authorities (ESAs) substantial new powers to supervise CTPs and address resilience risks they might pose to the sector.

Germany’s Supply Chain Due Diligence Act (SCDDA). On January 1, 2023, the Supply Chain Due Diligence Act took effect. It requires all companies with head offices, principal places of business, or administrative headquarters in Germany – with more than 3,000 employees in the country – to comply with core human rights and certain environmental provisions in their supply chains. SCDDA is far-reaching and impacts multiple facets of the supply chain, from human rights to sustainability, and legal accountability throughout the third-party ecosystem. It will address foundational supply chain issues like anti-bribery and corruption diligence.

From 2024, the number of employees will be lowered from 3,000 to 1,000. And Switzerland, The Netherlands, and the European Union also have similar drafts of regulation in the books.

PCI DSS 4.0. Payment Card Industry Data Security Standard (PCI DSS) is the core component of any credit card company’s security protocol.  In an increasingly cashless world, card fraud is a growing concern. Any company that accepts, transmits, or stores a cardholder’s private information must be compliant. PCI compliance standards help avoid fraudulent activity and mitigate data breaches by keeping the cardholder’s sensitive financial information secure.

PCI compliance standards require merchants to consistently adhere to the PCI Standards Council’s guidelines which include 78 base requirements, more than 400 test procedures, and 12 key requirements.

Looking at how PCI has evolved over the years up to PCI 4.0, there is a departure from specific technical requirements toward the general concept of overall security.  PCI 4.0 requirements were released in March 2022 and will become mandatory in March 2024 for all organisations that process or store cardholder data.

The costs of maintaining compliance controls and security measures are only part of what businesses should consider for PCI certification. Businesses should also account for audit costs, yearly fees, remediation expenses, and employee training costs in their budgets as well as technical upgrades to meet compliance standards.

Tech Trend Changes

Zero Trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data, and assets. Zero Trust as a model assumes all requests are from an open network and verifies each request this way. PCI 4.0 does not mention Zero Trust architecture specifically, but it is evident that the Security Standards Council is going that way as a future consideration.

Passwordless authentication has gained a lot of attention and traction recently. large tech providers such as Google, Apple, and Microsoft, are introducing passwordless authentication based on passkeys. This is a clear sign that the game is about to change. As the PCI DSS focuses on avoiding fraudulent activity, so does newer authentication protocol approaches to verify and confirm identity.

Third-party risk management is quickly evolving into third-party trust management (TPTM), with the SCDDA creating a clear line in the sand for global organisations. TPTM is a critical consideration when standing up an enterprise trust strategy. Enterprise trust is a driver of business development that depends on cross-domain collaboration. It goes beyond cybersecurity and focuses on building trusted and lasting third-party relationships across the core critical risk domains: security, privacy, ethics & compliance, and ESG.

Final thought – Cyber Insurance in 2023

If some of these compliance drivers lead to a desire for financial protection,  cyber insurance is one mitigation element for strategy to address C-level concerns. But wait – this is not as easy as it used to be.

Five years ago, a firm could fill out a one-page cyber insurance application and answer a handful of questions. Fast forward to today’s world of ransomware attacks and other cyber threats – now getting insurance with favourable terms, conditions, pricing, coverage and low retention is tough.

Insurance companies prefer enterprises that are instituting robust security controls and incident response plans — especially those prepared to deep dive into their cybersecurity architectures and with planned roadmaps. In terms of compliance strategy development, there needs to be a risk-based approach to cybersecurity to allow an insurer to offer a favourable insurance option.

0
Innovations in Cyber Insurance – Lessons from Middle Earth

5/5 (3)

5/5 (3)

As people continue to work remotely to cope with the effects of COVID-19, organisations are revamping their infrastructure, educational institutions are adopting eLearning, brick and mortar shops are going online, and businesses across the globe are focusing on enhancing customer and employee experience to ensure business continuity.

Evolving Cyber Threat Landscape

These digitalisation trends are here to stay. However, as organisations strengthen their digital transformation agenda, this will unfortunately also make organisations more susceptible to cyber incidents. While cyber-attacks were already on the rise pre COVID-19, we have seen a marked increase with several high-profile global incidents coming to light post COVID-19 – which includes attacks not only on financial services companies, healthcare providers, local and national government infrastructure but also on numerous SMEs, that may not be geared to respond to these incidents.

A recent Global CXO study conducted by Ecosystm on behalf of Asavie found that around 44% of organisations faced cyber-attacks during COVID-19. The Future of the Secure Office Anywhere study, with feedback from over 1,000 business and technology leaders globally, also finds that of the organisations that faced cyber-attacks, a staggering 87% acknowledged that their employee devices had been compromised.

The pandemic also exposed the shortcomings of existing security measures, requiring organisations to shift their focus on cybersecurity. Another Ecosystm study on Digital Priorities in the New Normal indicates that the top IT priority for organisations in the midst of COVID-19 has been to re-focus their efforts on managing cyber risks and measures.

Cyber risk management - a key priority of businesses

Need for Cyber Risk Insurance

Our research finds that 71% of organisations think that a data breach is inevitable, irrespective of how much IT and cybersecurity teams evolve their prevention, detection, and response plans; and educate their employees of the potential cyber risks. Organisations face immense risks around sensitive data loss, financial consequences, cyber extortions, and loss of reputation. Cyber risk cannot be treated and viewed in the same way as other traditional risks to the organisation.

While cybersecurity remains a key priority, Ecosystm’s ongoing Cybersecurity and Data Privacy Research finds that only 45% of organisations globally have a Cyber Insurance policy. Given the strategic importance of Singapore as a regional hub, this figure is alarmingly low for the country. Perhaps Singapore’s strong Cyber and Data Governance frameworks are making businesses complacent?

Global cyber risk insurance adoption

An inhibitor to Cyber Insurance adoption is that organisations consider the process of evaluating their risks, defining their policy requirements, and the conversations with their insurance providers complicated.  

InsureTech Increasing Accessibility 

Armed with innovations and leveraging data-driven intelligence, InsureTech companies are providing answers to some of the major customer issues. Cloud-based platforms make it easier to purchase on-demand policies and products. They are also able to provide more personalised products and services, taking into consideration organisations’ business strategies and culture.

InsureTech companies are creating innovative solutions to address cyber risks, calculate business risk, and provide digital resilience to help companies prevent breaches. In addition to this, InsureTech is enabling corrective actions to protect risk-assets that could help vulnerable organisations prevent catastrophic losses.

InsureTech Innovations from New Zealand

As a Kiwi, and a NZTE Beachhead Advisor, one thing I know is that people look to New Zealand for the human-centric approach we bring to almost everything. So it’s not surprising to see technology innovations that originate from ‘Aotearoa’ – ‘the land of the long white cloud’ – that exude simplicity and customer centricity. New Zealand has also seen an impressive growth in the number of FinTech and InsureTech start-ups that are expanding across international borders. What was once New Zealand’s limitation on the global stage with the tyranny of distance, has now been nullified with the advent of the digital economy – and the country finds its footing as a key player in the new global ‘Digital’ order. The technology sector has become a significant contributor to the New Zealand economy, in terms of jobs, GDP and exports, and has also led to the creation of a strong technology innovation partner ecosystem for international growth.

One area that is seeing innovation and start-up participation in New Zealand is InsureTech with a focus on cybersecurity. The sector is starting to see the emergence of an impressive pool of promising high growth companies. We have seen a recent example of a note that demonstrates the focus on accelerating international expansion. The partnership between two of New Zealand’s prominent InsureTech companies – the Delta Insurance Group and Sentro – is aimed to drive a global growth expansion agenda. Delta Insurance Group with its presence in Asia, UK and Europe have offerings in cyber risk security, data protection and cyber liability and recently introduced their group Personal Cyber insurance (PerCy) into the Singapore market. Their newly launched product will be powered by Sentro – another Kiwi startup – that has recently won significant acclaim for their cloud-based platform hosted on Microsoft Azure. Their SaaS solution works behind the scenes to provide digital dashboards and cloud capabilities to Delta Insurance customers. For me, it is always encouraging to see such examples of New Zealand companies collaborating to offer their innovations to the world and punching above their weight.

 Leveraging InsureTech Innovation

The adoption of technology – analytics, automation and cloud platforms – is bringing innovation to Insurance and benefits by optimising tasks across the value chain. Insurance companies are starting to understand the need to become more focused on digital transformation, to offer flexibility and responsiveness for a better customer experience.

The post-COVID-19 world is an opportune time for Cyber Insurance companies, and they have immense market potential. All they need to do is to be visionary, be customer-centric and re-imagine the future through a digital lens to extend value to customers. With the greatest FinTech showcase – The Singapore FinTech Festival 2020 from 7th to 11th December 2020 – round the corner in Singapore, I am looking forward to what promises to be an exemplary show of some of the world’s most resilient and innovative start-ups. And I am confident that New Zealand is going to find its spot front and centre! The Delta and Sentro partnership is just a preview of the innovation brewing in Middle Earth!


Click below to access more insights on organisations’ Cyber risk insurance priorities and top figures, facts and 2020 cybersecurity statistics
Get Started

2