Should companies be forced to report cybercrime attacks?
• With ransomware incidents on the rise, many firms prefer to quietly pay the criminals in order to restore their systems and avoid negative publicity
Criminal hacking of public and private businesses happens at a rate some experts describe as “frightening”, while others believe the situation is adequately taken care of by existing and ever-evolving cyber security precautions. But no one knows for sure what the extent of the problem is because companies are more willing to pay the ransom demanded than admit they have been hacked.
Many business leaders fear the adverse media and publicity backlash of disclosing that they have been hacked. In the private sector, particularly financial services, shareholder value is especially sensitive and stakeholders’ fears that a company’s digital systems are dodgy might trigger a flight of investment.
The problem is far greater than it would seem. We have crossed the threshold some thinkers have dubbed “the sixth revolution”. With the coming of the internet of things, virtually every machine will be connected to all others.
Ransomware is a relatively recent cybercrime innovation and is growing in popularity among hackers. Perpetrators infect company computers with a virus that holds selected files hostage until a ransom is paid.
The malware is cheap to install, is extremely profitable and is expected to proliferate. The Federal Bureau of Investigation reports that ransomware attacks in the US netted about $1.6m in 2015. IBM estimates it will be around $1bn for 2016, as 70% of US businesses infected with ransomware reported that they had paid the ransom to regain access to their systems and business data.
Paul O’Sullivan, head of a forensic and fraud investigation company, believes cybercrime is bigger than it seems, “just as it is for most crimes in SA”.
“There’s enough legislation that provides for the reporting of certain crimes. It’s a crime not to report such crimes as terrorism and corruption,” he says.
“You can understand the logic of that. But should it be an offence not to report every single crime? I don’t think so. You’d be building a nanny state, or even a police state.
“We already have a raft of legislation in this country. Take the Regulation of Intersection and Communication Act as an example. It has imposed an extremely costly burden on the cellphone industry.
“It is only enforced against honest citizens. Criminals bypass the act completely because they use phones registered to people who don’t exist.
“So who do you prosecute? You can’t get the guy who doesn’t exist because he doesn’t exist. All you’re doing by creating another layer of legislation is that you’re creating more work for the police and for already overburdened company management. Self-regulation in such issues is far better.”
O’Sullivan says if the damage to a company is so great after a cyber attack that it can’t pay its creditors, it has a legal obligation to report that fraud.
However, he says it would be “a sad day for the country if it [cybercrime] is made a reportable crime. There are so many unnecessary bureaucratic burdens imposed by the state already. We’re already becoming a nanny state.”
A lack of IT security or outdated protection in less developed countries gives hackers a launching point from which to infiltrate countries such as SA and Kenya, says US computer security software company Check Point.
“A large bank in SA could have a small branch in Tanzania,” says Check Point SA manager Doros Hadjizenonos.
“Hackers could exploit weaker security controls in Tanzania to gain entry into the bank’s larger network. This is why third-party links should be subject to even more stringent security controls.”
Hadjizenonos says malware targeting mobile devices is also growing rapidly and warns that “many organisations are not applying adequate security measures to protect them or their users, putting sensitive corporate data at risk”.
Cybercrime continuously metamorphoses to appear in myriad guises.
A new handbook issued by the US Internet Security Alliance advocates aggressive proactive steps. “We need to be focused on cyber security on the front end, not just the back end,” says the alliance’s CEO, Larry Clinton, adding that the cost of cyber attacks is expected to spiral to $6-trillion by 2021.
O’Sullivan does not believe the top management of big companies are necessarily sufficiently cybercrime-savvy.
“I don’t expect them to be,” he says. “What every big company should do — because there’s no big company today that’s not using technology — is have a chief information officer, someone who has the necessary competency, along with a cybercrimes expert … to safeguard the company.
“Call him the super-risk management director or officer, and he should report to a nonexecutive risk subcommittee.”
Michael Judin, a commercial and corporate governance lawyer at Johannesburg law firm Judin Combrinck, is in favour of compulsory disclosure with limitations. While frequent disclosure of insignificant cyber incidents could result in adverse consequences, everything material to stakeholders should be disclosed.
Such decisions should be made by technology and information officers, he says, but if a company does not have such staff, the board should make the decisions.
“Principle 12 of King 4 requires that the governing body should govern technology and information in a way that supports the organisation setting and achieving its strategic objective,” says Judin.
“So, bearing in mind that King 4 is an apply-and-explain code, all organisations must comply with that principle and explain how they are doing so.”
Some business leaders are cybercrime-savvy and others are not, some have specialised staff and some don’t and some are proactive and alert to the threat, says Judin.
“But the bottom line is, in terms of King 4, the common law and the Companies Act, any director, prescribed officer or committee member who fails to protect the organisation and its stakeholders will be in breach of his or her fiduciary duty and will be liable for any loss, damages or costs sustained by the organisation as a consequence of the breach of either the act or the common law.
“This is not a game, it is deadly serious given that it is not if you will be hacked, but when you will be hacked.”