Working patterns have changed as a result of the pandemic and organisations have become increasingly aware of cyber risk. Cyber security is taking greater prominence on the leadership agenda, but the activities that we all need to undertake need not be ground-breaking. Cyber security is a personal issue first and foremost: we all need to be observant and cautious.

A survey conducted jointly by ACCA, CA ANZ, Macquarie University and Optus in October 2018 showed that 57% of respondents ranked cyber security among their top five business risks while 52% saw cyber security as a high or very high risk to their organisation.

The level of cyber threat evolves as technology changes and an increase in connectivity transforms the risk profile for organisations. Yet, cyber security is still not managed as a business risk and, too often, left to the information technology professionals alone to handle.

Redefine risk and resilience

This evolving threat means that cyber criminals constantly find new vulnerabilities to exploit, so it is important for businesses to maintain their software and hardware system and protect it from risk, but this is not enough. Traditionally, hardware is understood as the boundary of our IT system. In the connected world we are moving to managing the cyber risk by verifying the user and the equipment that they use instead. As users we are less tolerant of inflexibility in the infrastructure that we use, and many people bring their own devices to work. This surge in the use of remote access, however, provides further vulnerability that the cyber threat actor can exploit. Both as individuals and organisations, we need to be vigilant.

Cyber threat actors have time on their side. They need not act immediately. An annual IBM global survey published by IBM in early 2021 showed that, on average, it takes 280 days for organisations to identify and contain an attack. The average total cost of a breach was US$3.86 million.

For organisations, the question about suffering an attack is not “if” but “when”. The results of the ACCA survey found that 26% of respondents were aware of attacks detected by their organisation in the preceding six months. More concerning still was the 54% of respondents who thought that their organisation had never been the subject of a cyber-attack; or were not aware that it had ever been. Cyber-attacks cause both financial and reputational damage and businesses cannot afford to ignore them.

Focus on recovery plans

Preparation for an attack should focus not only on the management of the attack itself, but also on the recovery afterwards. This requires effective planning to manage the technical issues as well as the relationships with regulators, customers and suppliers. Only 37% of participants in the survey noted that there was a remediation plan in place that was regularly updated and tested. The risks associated with cyber-attacks go beyond the loss of personally identifiable data and they may harm the company’s operations. It is how we do business in the connected world. Especially during the pandemic, organisations have shifted their focus to online interactions with customers and suppliers. That level of connectivity and inter-dependency creates a higher risk.

Audit your supply chain

As supply chains become ever more complex and integrated, the extent of cyber risks at the boundary of organisations grows. The weakest point may well be a connection to a third party. Providing support to and assessing the vulnerability of these third parties is essential, yet 41% of respondents had no knowledge of any cyber security assessment or audit being conducted on their organisation’s supply chain.

Invest in cyber insurance

Leadership needs to regularly review and action cyber threat measures as part of its broader business risks assessments. This includes the qualification of the potential financial impact of exposure. For the cyber-criminal, the activity can be more profitable than any other illegal activity and paying criminals to unlock attacked data through ransomware will mark the organisation as a vulnerable target on the dark web. Insurance will help manage some of the losses arising from an attack, and 44% of respondents were unsure whether their organisation had a cyber insurance plan, or if the cover is at an appropriate level.

Play your role in the reality of cyber risk

Do not wait for the cyber-attack to take place. Do not wait for the fine or the measurable reputational loss. Finance leaders need to recognise that cyber risk is especially relevant to them. Ensure that you are fully up-to-date on the nature of the risk that the organisation faces on an ongoing basis. The cyber threat actor has time on their side, and it is not time that you can afford to waste.

Clive Webb leads ACCA’s research on business and technology related matters from the perspective of chief financial officer. He has a background in information technology assurance as well as being a qualified accountant.

As MIA member Christopher Cardona reaches an important juncture in his career, The Accountant asks him for his views on the future of the profession.

You started the year as a newly appointed Assurance Partner with PwC. How has the experience been so far?

Becoming a Partner is a defining moment in the career of some accountants. I am certainly proud of the achievement; however, I look at the appointment as a major milestone in the professional journey that has many miles left. It is not an end to itself, but an important step to accomplish more.

Apart from my personal journey, I hope that this new role helps to demonstrate that a professional career in Malta can be enriching and inspires young people to pursue accountancy. As a young graduate, over a decade ago, someone told me that it was an exciting time to join the profession. That advice still holds true today.

What are the main challenges in your new role?

As an Assurance Partner, my role involves leading engagements and providing assurance to others. I believe that trust and quality are central to the profession in general and this demands that accountants and auditors keep raising their game by, for instance, remaining up to date with new requirements, standards and regulations.

In our profession, academic preparation is complemented with on-the-job training that allows you to develop your own skillset. I feel it is my professional responsibility to lead by example thereby impacting the learning and professional growth of the members of my team.

How does it impact your work on the MIA Financial Services Committee?

Through collaboration, teams have the ability to change things and MIA Committees bring different experts together to form a broad perspective on important issues. I have been a member of the Financial Services Committee for many years and I do not see my contribution changing. If anything, as a Partner, I have increased appreciation towards the value of sharing of insights and contributions to the bigger picture.

All warrant-holders play a part in the development of the profession and joining one of the several MIA Committees and Groups is an effective way of shaping the future of accountancy in Malta.

What are the priorities of the MIA FS Committee?

Our top priorities are the continued liaison with MFSA, the development of guidance and technical releases, and the organisation of CPE events. We are a very active committee with a wide range of expertise and experience covering multiple sectors.

Financial Services is a dynamic and highly regulated space with direct impacts on many market players, so there are always issues that call the MIA’s attention. I am also pleased with the dialogue that the Committee is fostering between accountants, auditors and the regulator, which is central to the profession’s success.

And what is the Committee’s longer-term vision?

The Committee has an expansive agenda covering Insurance, Banking, and Asset Management. In terms of vision, we want to elevate quality and prepare the profession for a future that holds further changes to financial reporting standards, amendments to current regulations, and an increased focus on emerging trends, such as the impact of ESG reporting on financial services.

How do you see accountancy evolving in the next decade?

There is no shortage of exciting challenges and opportunities ahead. Changes to the landscape are taking place at all levels, from increased regulatory and legislative demands to technological transformations to accounting change, but change is an inherent part of our profession and accountants are not immune to the need to transform.

In my view, some or most of what we consider traditional in the accountancy domain today will likely give way to newer services and ways of working. Nevertheless, quality and integrity will remain fundamental to the profession.

You were awarded the Kevin Mahoney Prize in 2019. How did it feel when it was announced?

It was totally unexpected. I had no idea that I had been nominated, but accepting the award was a humbling experience. In general, we probably tend to associate the profession with numbers, reporting, or taxation, but there is much more to being an accountant. The Kevin Mahoney Award sheds a light on the human side of accountants and on the sense of altruism that often goes unnoticed.

Every time I reflect on this award, it reminds me to be sensitive to what every person may be going through, whether colleague, family, friend, or client.

How do you balance your work life with your other commitments?

Work is only one aspect of life. It is an important part, but besides my career and my involvement in the MIA Committee, I also dedicate some time to lecturing at university and have a young family with two children.

An insightful concept I once came across advocates for work-life choices, as opposed to work-life balance. That makes more sense to me because choices are centred around our personal priorities. Priorities, of course, change with time and circumstances, but we must have the awareness to identify them before we can make the right work-life choices.

What do you do to take your mind off work?

I like to spend time with my family; we love to travel and enjoy the sea.

I am also quite a hands-on type and I do a lot of DIY projects around the house. We recently renovated some rooms, with some help from the children too.