Don’t Leave the Door Open for Cyber Fraud

EACT Breakout Session

In a demonstration of how easy it is to fall prey to fraudsters, drawn from real-world experience, criminals found it all too easy to locate employee credentials on the dark web, contact their employer’s IT to make password changes and execute a ransom fraud that escalated into a $100m cost for the business. The case highlighted the impact of losing such huge sums in unplanned cash outflow and, in this instance, a subsequent negative outlook from a rating agency.

The panel’s message was clear: failure to update systems frequently makes it too easy for criminals to inflict damage on businesses, losses can be significant, and cyber risk is now considered a higher immediate threat to business than climate risk.

It was noted that events are conspiring to make fraudulent attacks easier to perpetrate. There are more people working from home. SaaS is increasingly prevalent as more digital technologies are used. And attackers are becoming more sophisticated, with access to cutting-edge tools.

The level of threat means regulators are starting to pay far more attention. New regulation is coming in the EU (including the Digital Operational Resilience Act, and Network and Information Security Directive 2) to combat cyber fraud. And for the first time ever, the U.S. Securities and Exchange Commission (SEC) has individually sanctioned a CIO for failures.

With credit agencies taking cyber performance into account when making their credit analysis, it’s clear that cyber risk needs to be priced into company valuations. Many firms will need to start providing information to investors on cyber performance. However, where companies are open about their cyber-security strength, they may use it as a competitive advantage.

With new regulation recently published on instant payments, EACT’s involvement has been significant in its preparation. It has been working with the regulators to explain member concerns around cyber fraud.

In responding to consultations, publishing position papers, and meeting with the regulators, the EACT’s lobbying has been successful, for example in getting the IBAN-Name Check into legislation. All banks will be obliged to use IBAN-Name Check for instant payments by October 2025. There is already general agreement that it will also be included in PSD3. The EACT is now lobbying to have the legislation rolled out to countries outside the Eurozone. However, there is not yet one standard across Europe.

Questions from the audience raised the possibility of corporates receiving an official ‘cyber rating’. Moody’s has been incorporating views on cyber performance for the past two years, with the possibility of including related information within its full credit reports within the next two years. It is yet to be decided how this data will impact overall ratings.

The power of quantum computing was also raised as a vehicle for fraudsters. Should it ever be used, current ways of encrypting and saving data will no longer provide sufficient defence. Within five years, a move to stronger encryption and security protocols will be essential to counter the potential risk. Regulators will also need to start thinking about it now, although there is much debate on when quantum computing might be deployed by criminals, with a five- to 20-year time frame suggested.