Modern accounting for the digital economy
During this year’s International Accountant’s Conference 2017, a cybersecurity panel had discussed current security trends, and the latest technologies, that might be able to stem the tide of exponentially increasing cyber attacks and cyber breaches.
The culmination of that discussion, arrived when a practicing accountant from the audience, asked the very relevant and very pertinent question: How does an accountant quantify the operational risk of cyber attacks?
KPMG’s Cybersecurity Lead in ASEAN, Dani Michaux broke that question down further, to first how an organisation should approach that cyber attack.
One of the first factors to take into consideration, is the direct loss involved in terms of downtime and loss of sales and/or productivity, as a result of an attack. Indirect losses would also exist, and come in the form of reputational loss and/or class action law suits and such.
When she described the type of cyber attacks that may happen, she also pointed out a ransomware attack could be resolved in 3 to 10 days, depending on its complexity.
“But besides that, there is also loss of management time required to deal with these incidents,” she said, adding that in the case of data breaches, the initial action may take five days, but it is usually followed by a few months of detailed analysis.
Reiterating the current perception that cybersecurity has become a business issue, she said, “The board of directors (BOD), has to decide what not to do. They can’t stop attacks, but they have (to take necessary steps) to be better at dealing with them – for example, being resilient, getting an insurance policy in place, releasing press statements, and so on.”
Media Prima’s CTO, Alain Boey, who is also a chartered accountant, added that financial statements would have to take into account the probability of cyberattacks already happening.
Depending on when breaches happen also, there are different ways to treat it – if it happens at the end of the year, should it be included in financial reports, or is there a fund already allocated for it so that the unexpected cost of a ransomware attack does not impact year-end figures too much?
This question also segues towards the much changed landscape that accounting fraternities around the world, have to start to prepare for, if they haven’t already.
A majority of cyberattacks like ransomware, demand for payment in bitcoins, because it is a currency which is not regulated, hence it is not easy to trace.
A majority of bitcoin investments are still not recorded, as most of them are done in the personal capacity of individuals. Amounts and values of bitcoins may be recorded, but to whom bitcoins belong to, or the ‘asset’ that bitcoins are being used to pay for, is still largely unknown.
Things may change in 2018, however.
In a bid to secure Malaysia against abuse of digital currencies for unlawful purposes, like money laundering and terrorism financing risks, a regulation will be issued by Bank Negara, to make persons or entities providing the service of digital currency exchange, as reporting institutions of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001.
When this happens, the local accounting fraternity would need to know how to treat and address these reporting institutions, during the accounting process.