EY: HK firms underestimate insider threats

Ernst & Young (EY) said companies worldwide, including those based in Hong Kong and China are underestimating the level of risks posed by insider threats.

“Most companies are focusing on external threats, and rogue insiders are seizing new opportunities to profit for themselves at the expense of their employers,” said Jack Jia, partner, Fraud Investigation & Dispute Services (FIDS), Ernst & Young Advisory Services.

This assessment is ironic given that based on the latest EY Global Forensic Survey 2016, 55% of corporate respondents from China and Hong Kong said the cyber breaches and insider threats are the fastest growing fraud.

While companies worldwide are aware of the growing insider fraud committed – both unwittingly and with malicious intent – by their employees and business partners, the same survey showed 64% of respondents do not have, or only have an informal threat intelligence program.

Jia noted: “While companies are monitoring employee behavior, traditional surveillance can’t handle the evolving fraud landscape, increased litigation and regulatory demands.”

“The reputational and financial damage is hard to predict at the moment. What hard figure we have in the market only involves direct cost to customer accounts that have been impacted. It does not include the cost of investigation, cost of loss market share, etc. We have been working with cyber insurers about this, but the reality is the data is not rich enough to even estimate the total cost of a cyberattack,” he added.

In Hong Kong, regulators have started tightening the screws on cybersecurity with the Hong Kong Monetary Authority’s CFI scheme, which when fully implemented will require FSI companies to assess their own risk profiles and benchmark the level of defense and resilience that would be required to establish the appropriate protection against cyberattacks, including insider threats.

Also, the Securities and Futures Commission is currently doing cybersecurity reviews of internet and mobile internet systems. And the Privacy Commission for Personal Data has an ongoing 18-month review of the city’s data privacy rules with the goal of aligning them closely with the recent changes made by the EU. It is expected that data privacy rules in future will not only protect individuals but also commercial enterprises.

“Companies are challenged by increasing regulatory enforcement across the region and globally,” said Chris Fordham, managing partner, FIDS, Ernst & Young Advisory Services, adding that it is fueling the demand for fraud investigation and dispute services.

Over the last four years, EY’s FIDS business has doubled in Greater China, including China, Hong Kong and Taiwan.

“When looking at the work FIDS performs across the region, approximately 55% consists of reactive investigation, while 35% of our work is proactive regulatory compliance or anti-fraud controls. The remaining 10% involves in assisting clients and their legal advisers with disputes and arbitration,” Fordham said.

Inadequate response to insider threat

According to EY, companies are usually caught unprepared by cyberattacks and their incident response leaves much to be desired.

It cited a recent case where a Hong Kong branch of a global bank where hackers allegedly attacks the bank’s customers online trading accounts  and made unauthorized trades.