The vulnerability of customers, applicants, and suppliers to cyberattacks should be a major concern of credit executives. Analyst firm Gartner, in their report on Innovation Insight for Security Rating Services (July 2018) predicted, “By 2022, security ratings will become as important as credit ratings when assessing the risk of business relationships.” While this prediction has not been fully realized, things continue to move in that direction. Cyber risks are a core vulnerability that your counterparts in Third-Party Risk Management (TPRM) and Supply Chain Management are already tracking. You should do the same.
Cyberattacks are being perpetrated on customers of all sizes and across all industries. This is a concern for credit executives in that a high percentage of the companies you deal with are likely to be inadequately protected, even more so with the move to remote workforces in response to the Covid-19 pandemic. Moreover, cyberattacks may impact both your customer's viability and expose your own company to harm as well. For example, if you are sharing bank account information to enable your customers to make ACH payments, your company can also be exposed in the event of a customer's data breach.
Recent Studies Illustrate the Potential Hazard, Particularly Among Small Businesses
According to a recent study published by Verizon, 43 percent of cyberattacks are directed at small and medium businesses (SMBs). This isn't a new trend. For years, cyberattacks for the most part have been equally split between large and small enterprises. Conventional wisdom suggests that hackers like to make the big score, and therefore focus on large organizations. However, cyber-criminals also like to go after vulnerable sectors, and SMBs fit the bill. From the hackers' perspective, it's always a blast to hit a home run, but you can also do a lot of damage by hitting easy singles.
Another recent study, this one from Keeper Security, revealed that only 9 percent of business leaders, at firms with fewer than 500 employees, rank cybersecurity as a top priority. Meanwhile, only 60 percent of SMBs in the study had a cyberattack prevention plan. For companies with fewer than 50 employees, research by BullGuard found that 43 percent have no cybersecurity tools and 32 percent rely on free tools.
Moreover, Keeper reports leaders at 62 percent of the firms with revenue between $1M and 500M to believe a cyberattack is not likely. That number jumps to 73 percent for firms with less than $1M in revenue. These are clearly false hopes. A 2018 Ponemon Institute study quoted by Keeper found that 67 percent of SMBs experienced a cyberattack. In comparison, the Verizon study, which was also conducted during that time period, reported that 58 percent of all cyberattacks were directed at SMBs.
Are Your SMB Customers and New Applicants Vulnerable?
Though SMBs are clearly vulnerable to cyberattacks, they have tended to ignore the problem. The reality is that 60 percent of SMBs that are hacked will no longer be in business within 6 months. The fact that cyberattacks can kill SMBs should be a major credit risk consideration and concern.
“Small businesses are not immune to cyberattacks and data breaches, and are often targeted specifically because they often fail to prioritize security,” observed Paul Lipman, CEO of BullGuard. “Caught between inadequate consumer solutions and overly complex enterprise software, many small business owners may be inclined to skip cybersecurity. It only takes one attack, however, to bring a business to its knees.”
Interestingly, older businesses (operating for over 10 years) are not as well prepared as businesses started within the last 5 years. The keeper found that 28 percent of the younger firms believed an attack to be very likely while only 6 percent of the mature organizations believed the same. Part of the explanation for this could be that newer firms are likely to have made a larger commitment to all things digital than more mature outfits, but in any event, the problem remains.
A Call to Action
There are eight specific actions you can take to protect your company by identifying the existing customer, new applicants, and key supplier cyber security risks.
- Consider getting a cyber-risk report or score, at least for large exposures. These are being offered by vendors in the TPRM arena. Here are some sources:
- Riskrecon (a MasterCard company)
- SecurityScorecard
- BitSight
- Also, check with your credit bureau representative. D&B offers TPRM data products and Experian provides cyber-risk data to the insurance industry.
- Begin by asking some basic questions as part of your due diligence process in order to assess the cybersecurity status of your organization:
- Is there a dedicated individual responsible for monitoring cybersecurity? (This should be a qualified IT professional, not the business owner)
- What cybersecurity tools are in place? (Should be commercial products, not freeware)
- Is there a documented cybersecurity prevention plan in place? If the exposure warrants, consider asking for a copy as part of your credit application documentation.
- What compliance standards do they meet? There are international, national, and industry-specific standards. Some of the most common acronyms are ISO, PCI, and SOC. Again, if the exposure warrants, ask for a copy as part of your documentation.
- Have you previously dealt with a cybersecurity breach, and if so, how was it handled?
- Based on the responses to your questions as well as any insights gleaned from a cyber-risk report, you can then rate them as being a low, medium, or high risk for a cybersecurity breach. Simplistically, this might involve assigning a High Risk for not treating cybersecurity as a threat. Low Risk for seeing a threat, having an IT guy on it, and using commercial software, not freeware. Medium risk for anything in-between.
- If your company has a TPRM function, reach out for help in building out your questionnaire and cyber-risk rating scale. They will have already done this for your suppliers and other key third parties.
- For customers, add your risk rating to each account's customer master file (most ERP, accounting, and Credit/Collection software have extra fields that can be utilized for this).
- This may seem like a big project, but it is easily spread out over an acceptable time period. One suggestion is to start with your most important customers and every new applicant. You can work down the customer list based on the level of exposure.
- Segment your AR portfolio by cyber risk. You will then have a basis to analyze overall portfolio risk in much the same way a credit risk rating is used.
- Consider factoring this cyber-risk rating into your credit risk scorecards or credit risk models you use.
Conclusion:
If you follow the steps outlined above, your company will be in a much better position to reduce the impact of cyber-attacks. By advising your management of the susceptibility to these risks and how they may affect your suppliers, customers, and ultimately your own company you can play a key role in minimizing the negative impacts. You can reduce the possibility of catastrophic events that can lead to the business failure of customers and suppliers your company depends on for its own sustainability. If nothing else, your company will be several steps ahead of your competitors who have not factored in the vulnerability to cyber risk as part of their credit evaluations.
|
David Schmidt
|
|
|
|