By Rajiv Gupta, Sumit Sarawgi, and Mandeep Kohli
If it were measured as an independent economy by itself, cybercrime would be the third-largest, after the U.S. and China—given, in 2023, the cost of cybercrime is expected to reach an astounding $8 trillion and further scale to $10.5 trillion by 2025. The global cybersecurity spend is estimated to have surpassed $170 billion in 2022 and is expected to grow at ~9%, annually.
Despite an increase in cybersecurity spending, cybercrime continues to prevail with both the cost of cybercrime and the number of attacks, rising. As per the Indian Computer Emergency Response Team (CERT-In), the number of ransomware attacks in India grew by more than 50% in 2022, impacting multiple sectors including critical infrastructure. Correspondingly, the average time taken to identify and secure a data breach continues to be high, at more than 250 days. Considering that the investments being made are not fully engendering the desired outcomes, it is only natural to ask, “Where are the investments being made, and are they enough?”
As businesses are becoming more global and digital, vulnerabilities are also increasing. Recognising this, many large businesses have established formal procedures to protect their systems and the data that resides within and accordingly allocated budgets to strengthen cybersecurity.
Compliance, which refers to adhering to standards, regulations, and frameworks while maintaining best practices, is a crucial and important component of cybersecurity budgets. Currently, there are more than 20 global cybersecurity standards and frameworks in place—NIST, ISO 27001, and CIS 18 are some of the prominent ones, with over 100 countries also having their respective and customised cybersecurity requirements. Most of these standards are created in such a way that only large organisations and MNCs have the means or level of expertise required to adhere to them, leaving small organsations vulnerable. Today, most companies spend almost 40% of their cybersecurity budgets alone on stringent regulatory compliance requirements and almost 70% of companies manage at least six frameworks. The complex environment along with the inconsistencies across standards leads to a high compliance burden on companies.
Governments are encouraging digital adoption with Digital Public Infrastructure (DPI) and enabling MSMEs to optimally leverage digital platforms and solutions in an attempt to boost growth and the revival of global trade and investment. In the backdrop of this landscape, cyber threats and security issues will become more important, thereby further impacting compliance burden and complexity around standards.
In this scenario, simplifying and harmonising existing standards and frameworks by bringing varying guidelines together to create a single and consistent global framework for organisations to follow can be advantageous for businesses. This would create a comprehensive compliance and reporting system based on security requirements and needs in various industries, allow for more intelligence sharing, and reduce the compliance burden for companies. Moreover, it would lead to greater intra-sector, cross-sector, and international collaboration and understanding due to common use of standards and enhanced collective understanding of the state of cybersecurity for regulators and industry.
Of course, this doesn’t mean that current standards and norms should cease to exist and nor will they. Rather, they should be harmonised and converged into a common open-source framework that constitutes essential elements from existing frameworks. Such an approach can help to define consistent and robust standards and policies that ease compliance and enable doing business across the world.
There are several examples, across industries, that have benefitted from harmonisation, such as International Accounting Standards Board (IASB) and Global Reporting Initiative (GRI). IASB issues the International Financial Reporting Standards (IFRS) for maintaining accounts and financial reporting. The IFRS today has significantly simplified and standardised financial reporting norms across the world, with over 140 nations either directly adopting the standards or having converged sovereign guidelines with them (policy integration). As a result, global organisations are no longer burdened with different accounting principles and the challenge of multiplicity of reports caused by regional norms. Further, these standards are also empowering users of financial statements to compare reports, irrespective of geography.
Some common points shining light on the widespread success of both the IFRS and the GRI standards in their respective domains is the fact that they are practical v/s being theoretical; and free to use for organisations of all sizes and levels of maturity (often even mandated). These standards have grown their reach over time, following consistent and steady advocacy, while taking into careful consideration the sovereign needs and rights of nations and planning updates and changes in standards accordingly.
The need of the hour is to establish a global framework for cybersecurity that thrives on cooperation and sharing of information between nations. It is important to prioritise elements of low contention and build consensus through open dialogue and constructive engagement. G20, by acknowledging and supporting the need for standardisation, can help enable global cooperation required in building trust and consensus around the benefits of harmonised standards.
The G20 Summit being held under India’s Presidency in September 2023 is a golden opportunity for countries to come together and deliberate on this agenda of harmonisation of existing cybersecurity standards and its impact on the global community. India can take the lead and initiate dialogue for global cooperation on cybersecurity and threat mitigation under its G20 Presidency– with the benefits to be reaped by “all”. This would truly reflect the theme for this year’s G20, i.e., “Vasudhaiva Kutumbakam” – one earth, one family, one future.
The authors are managing directors & senior partners, BCG.
Disclaimer: Views expressed are personal and do not reflect the official position or policy of Financial Express Online. Reproducing this content without permission is prohibited.