Perspectives 2019 2020 Public Sector

86 From Security to Resilience The mix of public sector and C-suite (CEO, CFO, CRO, CIO) along with banking and public affairs heads enabled strategic conversations with wider perspectives, whilst remaining anchored in reality. These diverse views took cyber out of the domain of information security and made it a business, financial sector and real economy issue. By making it more relevant and meaningful, these types of exercises help evidence why C-Suite should care and not just delegate to the tech teams. Cyber is a Business, not Tech, Issue The Internet and access to data allow small- and medium-sized companies to scale globally from day one. According to Forrester, 1 global cross-border B2C e-commerce will reach US$ 627 billion by 2022, having more than doubled over just five years. This highlights how the digital economy is a key driver of growth and development across the world — with Huawei and Oxford Economics estimating that the digital economy will account for 24.3% of global GDP by 2020, growing at 2.5 times the pace of the overall global economic growth. Cyber and the new concept of Operational Resilience are fundamental to enabling business in today’s interconnected, dynamic, and technology-based market. Rapidly increasing digitization is creating new risks and amplifying existing risks. It increases technological interdependences, configuring new tech to decommissioning legacy tech, and factoring in new risks into traditional activities, such as mergers and acquisitions. Historically, securing the payment channels has been the regulators’ and industry’s focus. However, focusing on payment to the right beneficiary on a timely basis is equally as important. Security of payment channels requires the same attention as does the need to develop competitive and effective platforms. Without the “pipes” of the financial system being resilient, the capital flows fueling economic development could be impaired. Further, countries and firms perceived to have weak cyber resilience may see a decrease in foreign direct investment or access to capital, with low cyber scores in future credit ratings 2 negatively impacting access to finance. On top of this, a firm with weak cyber security can have knock-on effects on its whole sector, creating negative impacts on the wider industry or economy’s performance and stability. This directly affects other areas — poor cyber resilience impacts the available investment, resource, and deployment capabilities to deliver on the UN Sustainable Development Goals and other critical public sector initiatives. However, the “cyber” problem is only forecasted to get worse. The Accenture & Ponemon’s 2019 Cost of Cybercrime Study highlights that the over the last five years the average cost of cybercrime for an organization increased 72% to US$13.0 million. Another Accenture report 3 estimates that in the private sector, over the next five years, firms risk losing an estimated US$5.2 trillion in value creation opportunities from the digital economy to cyber security attacks. If cyber resilience awareness, culture, and collaboration are rapidly improved over the coming years, the cost of controls and value at risk would decrease. By better understanding areas or weakness, there could be more efficient deployment of resources across both public and private sectors. Public-Private Partnership To be effective, the cyber public-private partnership “collective defense” model will require deeper cross- sector partnerships in a coordinated manner to reduce risk. Whilst great progress has been made over the years coordinating information sharing, there is an urgent need to evolve the model, so that it goes beyond “sharing” to “coordinating” risk management actions based on the shared information. To improve cyber resilience, central banks and other public sector bodies need to come together to drive this collaborative risk management strategy development. 1 https://go.forrester.com/press-newsroom/cross-border-ecommerce-will-reach-627-billion-by-2022/ 2 For example, the partnership between S&P Global Ratings and Guidewire Cyence Risk Analytics announced in 2018, following a warning in 2015 from S&P that it would downgrade credit ratings for banks with weak cyber security, even if they hadn’t been breached. Moody’s emphasized the threat of cyber risk in 2015 , and, similar to S&P, also announced in 2018 that it would evaluate organizations on their risk of a major impact from a cyber-attack. https://www.businesswire.com/news/home/20180216005674/en/SP-Global-Ratings360%E2%84%A2-Include- Cyber-Risk-Insights; https://www.insurancejournal.com/news/international/2015/06/10/371100.htm ; http://www.maalot.co.il/publications/ OAC20150708094842.pdf; https://www.moodys.com/research/Moodys-Threat-of-cyber-risk-is-of-growing-importance-to--PR_339656; https://www.cnbc.com/2018/11/12/moodys-to-build-business-hacking-risk-into-credit-ratings.html. 3 Securing the digital economy, Accenture. https://www.accenture.com/us-en/insights/cybersecurity/reinventing-the-internet-digital-economy