1. Research

"Give me your data" - cyberattacks, the bigger new bully in 2023

Cassidy Ainsworth-Grace
Deutsche Bank Research Management
Stefan Schneider

Two big cyber events during 2022 showed how corporates are increasingly being punished for cyber attacks against them. It is quickly becoming a political issue, just as the trend to WFH can increase the chance of an attack.

Back to overview

The events of 2022 threw into sharp relief the two questions that may shape how corporate digital infrastructure needs to change in 2023. First, who is to blame for cyberattacks: corporates or hackers. Second, what will tougher cyber regulation mean for corporate responsibility.
Some distressing hacks in 2022 (example below) showed that cyberattacks can no longer be written ofas simply the cost of doing business. Indeed, the public is beginning to see corporates as being at fault. This change in the mood follows a pivotal year for cybercrime. In 2021, cyberattacks increased 31 per cencompared with 20201. And the losses are deepening. A third of central banks in developed economies havindicated cybersecurity losses have increased by over 20 per cent since the pandemic.2
Ransomware has emerged as one of the most popular technological threats. This involves infiltrating victim’s network to encrypt files and hold them for ransom. The number of these incidents in the US morthan doubled in 2021.3 Globally, the number of ransomware attackers grew 151 per cent.
An example from Australia this year shows what may be in store in larger economies. The event was a hack of Australian health insurance provider Medibank. The result was the theft and ransom of the personal information from nearly a third of the population. Medibank did not pay the ransom, and the hackers not only kept the data encrypted, but also published sensitive medical details on dark web forums.
Compensation discussions are ongoing but the bigger picture is that this attack is emblematic of the growth in large scale attacks of such personal information. Given the current mood regarding corporate in the US and Europe, if growth here continues, it will quickly spark a heavy political response with serious ramifications for companies in question.
The impact of politics on cybersecurity took a notable step forward this year. In March, the Biden administration mandated companies to report hacks within 72 hours of discovery, and within 24 hours if ransom is involved. With the US as a starting point, it is likely that similar regulation will permeate across advanced economies. Companies are still underestimating this, but if the growth rate in hacks continues in 2023 it is only a matter of time before an influential country has to respond to a Medibank-style hack.
The concerning thing for companies is that the risk has grown with work-from-home arrangements. Identity management and data protection have particularly suffered and hackers have moved their focus away from the core network to end users. Better regulation to incentivise better security is therefore critical.
  1. World Economic Forum
  2. Bank for International Settlements
  3. US Financial Crimes Enforcement Network

© Copyright 2023. Deutsche Bank AG, Deutsche Bank Research, 60262 Frankfurt am Main, Germany. All rights reserved. When quoting please cite “Deutsche Bank Research”.

The above information does not constitute the provision of investment, legal or tax advice. Any views expressed reflect the current views of the author, which do not necessarily correspond to the opinions of Deutsche Bank AG or its affiliates. Opinions expressed may change without notice. Opinions expressed may differ from views set out in other documents, including research, published by Deutsche Bank. The above information is provided for informational purposes only and without any obligation, whether contractual or otherwise. No warranty or representation is made as to the correctness, completeness and accuracy of the information given or the assessments made. In Germany this information is approved and/or communicated by Deutsche Bank AG Frankfurt, licensed to carry on banking business and to provide financial services under the supervision of the European Central Bank (ECB) and the German Federal Financial Supervisory Authority (BaFin). In the United Kingdom this information is approved and/or communicated by Deutsche Bank AG, London Branch, a member of the London Stock Exchange, authorized by UK’s Prudential Regulation Authority (PRA) and subject to limited regulation by the UK’s Financial Conduct Authority (FCA) (under number 150018) and by the PRA. This information is distributed in Hong Kong by Deutsche Bank AG, Hong Kong Branch, in Korea by Deutsche Securities Korea Co. and in Singapore by Deutsche Bank AG, Singapore Branch. In Japan this information is approved and/or distributed by Deutsche Securities Inc. In Australia, retail clients should obtain a copy of a Product Disclosure Statement (PDS) relating to any financial product referred to in this report and consider the PDS before making any decision about whether to acquire the product.