Cybersecurity threats increased for businesses over the past year, according to a Wall Street Journal survey of compliance professionals.
Nine out of 10 companies said cybersecurity risks rose, with nearly half saying the risk shot up substantially. Almost all midsize companies—those with between $50 million and $1 billion in revenue—said they felt cyber threats had increased.
The Wall Street Journal surveyed around 300 compliance professionals between Feb. 13 and March 11. More than three-quarters were based in the U.S. and about 4% in Canada. Around 36% of respondents worked in the financial services sector, while around 13% worked in professional and business services and around 9% in the technology sector.
Other major areas of concern among the compliance professionals we surveyed included regulatory scrutiny and enforcement, cited by 78%; and the digitization of their business, cited by 71%.
Several high-profile hacks and regulatory changes in recent months have raised the stakes for companies. In September, casino operator MGM Resorts International shut down some of its computer systems after a cyberattack hit hotel and casino operations. In February, attackers gained entry into UnitedHealth Group’s Change Healthcare unit, a ransomware strike that crippled vital parts of the U.S. healthcare system.
The U.S. also has ratcheted up the pressure on companies to communicate cyber breaches more promptly. Starting in December, the Securities and Exchange Commission required companies to disclose cyberattacks to the SEC no later than four business days after they determined the incident will have a material impact on operations. In addition, the U.S. Cybersecurity and Infrastructure Security Agency in March published draft rules on how critical-infrastructure companies would need to report significant cyberattacks within 72 hours and ransom payments within 24 hours.
Diversity and inclusion, another hot button topic companies wrestled with over the past few years, was lower on the radar of compliance professionals. Roughly one-third of companies said they saw such issues as an increased risk compared with the previous year, the smallest such change in our sample.
Diversity, equity and inclusion initiatives in recent years have been a major area of focus of companies, as they described in detail their activities in this area in annual reports and lauded them in public statements. But while many businesses claim they aren’t cutting back on these programs, some have retreated on how loudly they have touted them in public as such programs have come under increasing legal and political threat. Others are abandoning some practices, such as the use of numerical targets that can be seen as “quotas” or of unconscious bias training some see as casting blame.
Ready to respond?
Accompanying the heightened cyber risk is increased uncertainty about their compliance department’s ability to respond to incoming threats.
Nearly half of compliance survey respondents said they had only a basic or novice level of expertise in overseeing cybersecurity-related compliance. Only 8% considered themselves experts.
The need to staff up to handle incoming cyber threats also weighs on the mind of compliance professionals. About 35% of respondents said insufficient head count was a challenge faced by their company’s cyber compliance program, while 31% cited a need to keep up with regulatory changes around cybersecurity and 23% a lack of required skills.
Compliance professionals also say that cybersecurity was the biggest area in which they have had to build their skill set. Nearly seven out of 10 respondents told us they have needed to gain knowledge in this area over the past year. Regulatory scrutiny and enforcement was the only other area cited by more than half of respondents, at around 67%.
Despite these challenges, 90% said their cybersecurity compliance program was at least somewhat effective. Only 2% called their program “very ineffective.”
Geopolitical concerns rise
With the ongoing Russia-Ukraine war, the continuing tension between the U.S. and China and, more recently, the Israel-Gaza conflict roiling commodity and export markets, we wanted to know how geopolitical risks affected the ability of compliance professionals to do their jobs.
Nearly two-thirds of respondents overall said that business risks attributable to geopolitical concerns have increased year-over-year. Among geopolitical factors that impacted the work of compliance professionals, the Russia-Ukraine conflict was cited by 43% of respondents. This was particularly acute for those from the largest companies—those with more than $1 billion in revenue—with more than half (54%) saying the Russia-Ukraine war was impacting their work.
The war in Ukraine and subsequent sanctions packages intended to punish Russia have impacted the world’s already challenged supply chains. The conflict has severed air and land routes for trade, hit supplies that relied on Russia and Ukraine-made components and severely restricted commodity exports from both countries. Indeed, 47% of respondents said supply chain risks for their business had gone up in the past year. Meanwhile, a $60-a-barrel price cap on Russian oil imposed by the U.S. and its allies to help thwart funding for the war has had mixed results, with efforts by Russia to circumvent the cap and bring in revenue increasingly successful.
U.S.-China economic tensions, and election cycles in regions where their business operates were close behind as an impact respondents cited, at around 39% and 37%, respectively. In recent years, American firms in China have felt squeezed by geopolitical tensions, trade conflicts and internal political changes. Meanwhile, economic problems in China and a series of regulatory actions that have made foreign businesses nervous caused many large multinational firms to reduce their investment in the country.
The Gaza war was further down the list of concerns, cited by about 20% of respondents as a risk impacting their work, followed by China-Taiwan tensions, at 19%, and public sector corruption, at around 18%.
Compliance professionals confront AI
Our study also suggested that while artificial intelligence is a topic of interest to compliance professionals, most have yet to use it as part of their compliance efforts. Just over one-third of respondents said they were using AI tools for compliance, compared with 46% who said they weren’t yet using it but planned to in the future.
About one in five said they had no plans to use AI in compliance. Despite the rise of ChatGPT and other forms of generative AI in the mind of the public, many businesses are still taking a wait-and-see approach to the technology in all its forms.
Perhaps unexpectedly, the smallest companies seem most likely to be using AI for compliance already, with about 41% of respondents from companies with less than $50 million in revenue saying they had put the technology to use. But, more than half of the companies in the $1 billion-revenue class said they were considering adopting AI for their compliance.
Despite this, the use of AI is coming, say the compliance professionals we surveyed. Only about one in 10 of compliance pros from the largest companies said they had no plans to use AI for their compliance efforts in the future, compared with about two in 10 from those working for small and midsize companies.
Of those using AI, 45% said they used it to detect control deficiencies, while 44% said they used it for cybersecurity. Regulatory change management was cited by about one-third of respondents.