Return to site

Cyber Breach? How to survive a Hack

· cybercriminal,cybersecurity,reputation risk

This is part 1 of a 3 part series, that covers the highlights from the Cyber breach simulation delivered at the Thomson Reuters 2nd ASEAN Regulatory Summit in Singapore on the 1st September 2016. Part 1 covers the breach, Part 2 covers the ransom and Part 3 covers managing the fallout.

As Chief Reputation Risk Officer and Managing Partner, RL Expert Group, I had the opportunity to collaborate with Ernst & Young Lead Partner Cybersecurity Asia Pacific, Paul O'Rourke, Counter-espionage Expert and Managing Director of Jayde Consulting, Julian Claxton, and Thomson Reuters Senior Editor, Patrick Fok.

The event triggered robust debate among the audience of senior governance, risk and compliance practitioners, and leaders from across the region. Given that this breach scenario is relatively common today, we thought it useful to share the simulation and challenge your thinking.

What would you do?

Context: You are the Chief Risk Officer at ABC Bank. You discover that someone has hacked into your servers. The perpetrators have stolen your customer information and financial records and published them online. What would you do?

Question 1: What do you think is the most important first action to take?

  1. Notify the relevant authorities
  2. Assess the reputational damage that is at stake
  3. Find out if the attack is on-going or has been contained?
  4. Activate the crisis management team & inform senior management
  5.  Do nothing


The results: Given the regulatory regimes on consumer data and the fact that this information has been leaked into the public domain, 65% of the audience agreed that they would activate the crisis management team and inform senior management, 20% said that they would find out if the attack is on-going or has been contained, 10% said they would notify the relevant authorities and 0% said they would do nothing.

The average time to detection (TTD) in Asia is more than 579 days (TRT World). Data has already been leaked to the public. Damage has already been done.

Making a decision as to whether or not it is time to activate the crisis management team will be dependent on the company's risk appetite and tolerance and the context of local/global regulations and stakeholder expectations.

A designated chain of command is imperative. While decentralised organisational structures work well across the region for market adaptation and innovation, crisis demands a rapid and "centralised" response with a very clear line of command, and the ability to shift into "war mode" rapidly. Clear triggers should be understood to move from "normal" to "war mode" as well as to activate specific response modules e.g. data loss. There also has to be a clearly articulated set of "all clear" signals that shift the company back to its normal operating mode. If the company fails here, the risk is the organisation response is "incoherent or inconsistent".

This is also a crime scene. Evidence is critical.

Expect the public to seek confirmation of facts, to assess the impact, gauge implications, compare this event to others and speculate on who is responsible. How a company manages this phase is critical. This is the stage for "reputation forming".

Key takeouts from Paul O'Rourke, Lead Partner, Cyber Security Asia Pacific at Ernst and Young:

  1. Where to invest? - As there is a high inevitably regarding cyber compromises, organisations need to be adequately prepared to respond in the event of a breach There needs to be a rebalancing of investment from prevention, to detection, containment, and response.
  2. Where to focus? - Critical to improving an organization's cyber resilience is a focus on culture, education, and awareness, with a top-down culture essential.
  3. What to change? - Organisations should consider implementing or adapting a cyber risk appetite, which will help define the level of cyber risk they are prepared to accept.

If you enjoyed reading this post, see part 2 of this 3 part Series where we explore the challenge of cyber ransoms. Hear Julian Claxton's expert perspectives and learn how other Companies across Asia would deal with the challenge.

We will continue the discussion on practical strategies for managing cybercrime and privacy at the Pan-Asian Regulatory Summit that is taking place on 8 & 9 November 2016 at the Grand Hyatt Hong Kong. For the full agenda and details on how to register, please visit the website.


I appreciate that you are reading my post. Here, and on LinkedIn, I write about board related issues - corporate strategy, human capital, reputation risk, technology and innovation, corporate governance and risk management trends.

All Posts

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!