A new Gartner survey finds that CEOs will be increasingly personally responsible for breaches due to what it refers to as the growing “Cyber-Physical System (CPS)” attacks anticipated by 2024. This refers to the risks emerging from the fast merging of operational technology (OT) and IT.
According to Gartner’s Katell Thielemann, Research Vice President, “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them. In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry.”
Gartner also projects that financial losses due to CPS attacks will reach over $50 billion by 2023.
This survey points to a few trends Cyberhedge has been calling attention to in recent months:
- CEOs are already being held accountable. For example, ISS ex-CEO Jeff Gravenhorst who stepped down a few months after an attack in February led to a 33% hit to ISS’ operating income (to date).
- Fast rising financial risks created by the merging of OT and IT. Companies like Honeywell understand the downside financial risk due to an operational disruption. This is why they are a 5-Star rated company, outperforming all other US Industrial peers by ~15% (Vanguard Industrials ETF) while an Industrial peer like 1-Star GE has vastly underperformed YTD and recent victim Honda is dealing with the financial fallout of its own June breach. Albeit not critical infrastructure, Brown Forman and Carnival are also recent examples of the financial risks created by rapid digitization that investors must reckon with.
- Impending regulation on cyber risk disclosure and management: The US Cyber Solarium Commission has recommended amendments to the Sarbanes-Oxley Act (SOX) to include cybersecurity reporting requirements. Specifically the corporate responsibility requirements for the security of information systems; and the performance and recording of cybersecurity risk assessments.
- A mix of legal and economic solutions are needed. Vulnerabilities that reside within the software code that increasingly drives industrial and broader company processes, including automation, do not just threaten data loss but can disrupt operations and pose potential life and death consequences and much larger financial risks for those involved.
Investors, regulators and the public all have a stake in how companies manage these pressing issues as the shift away from legacy technology systems to digitization continues to gather pace.