First, the bad news: Cyberattacks, fraud, and compliance concerns are now everyday corporate threats, they’re costing companies more, and they’re steadily increasing in frequency.
The good news? Well, 17 percent of the companies in our recent fraud survey said they had not suffered a cyberattack within the last year.
OK, so maybe that’s not exactly “good news.” But when it comes to the latest macro view of fraud and cybersecurity, it’s about as “good” as it gets, as we detail in our broad new report, “A triple threat across the Americas: 2022 KPMG Fraud Outlook.”
For the report, we surveyed more than 640 executives from a cross-section of major industries, including manufacturing, retail and consumer products, financial and insurance services, telecommunications and entertainment, and more.
In truth, the overall sentiment was not so much doom-and-gloom, but rather a realistic acknowledgment that the risk of fraud is here to stay, it’s getting more complex by the day, and most companies realize they still need to do much more to combat it.
The triple threat
To understand the complexity of fraud and the related risks today, it’s important to understand the three primary threats—cyberattacks, corporate fraud, and compliance issues—and how they are increasingly connected.
Breaking down fraud’s triple threat:
Cyberattacks continue to rise and take, on average, about a month to fully contain.
Among respondents, 31% have suffered from insider fraud in the last year.
Reputational risk is as important to leaders as fines and regulatory enforcement.
In each of the three areas, the topline numbers are stark:
Percent of survey respondents who said their companies had suffered at least one cyberattack over the past 12 months.
Companies that experienced some form of internal or external fraud.
Companies that reported losses due to regulatory fines or compliance breaches.
The bottom-line impact is significant, with the executives we surveyed reporting an overall average profit loss of 1 percent between fraud and compliance-related fines in the last year. Not surprisingly, the bigger the company, the bigger the target: 85 percent of companies of $10 billion revenue or more reported losses from fraud in the last year, compared to 71 percent for smaller companies. And, clearly, neither of those stats is very heartening.
But this fraud triple threat also has repercussions well beyond the dollars involved. Of the companies we spoke with for our survey, for example, 20 percent cited a significant level of reputational damage in the last 12 months, and 1 in 3 was subject to a compliance investigation.
Cause and defects
Try this scenario on for size: You’re a large public company that rapidly moved much of its staff to remote work amid the pandemic. An employee then decided to use your software to steal client data and commit fraud. It’s the triple threat in one single stroke—fraud, cyber, and compliance breaches.
And, unfortunately, it’s not an exotic scenario, especially at a time when companies are desperately trying to play catch-up with postpandemic cybersecurity requirements and infrastructure. In fact, 86 percent in our survey said remote work had negatively affected at least one of the three fraud areas, and 7 in 10 cited remote work as a major cyber risk for their business.
Given the triple threats’ increasing variety and speed of development—and especially since the pandemic—it’s perhaps not surprising that the survey, broadly, found mitigation efforts still lagging well behind. Two insights of particular note:
Leading practices: A relatively small number of the companies in the survey said they are meeting established standards for each of five different compliance/control measures. Data privacy at just 27 percent confidence ranked the best of the bunch, for example, while anticorruption (18 percent) was the most problematic.
Half measures: When we looked at controls specific to each of the triple threat areas, 9 in 10 of respondents rated their company as “excellent” in at least one area. But the broader view of all three combined, based on a “half-or-more” measurement, demonstrated that there is still significant work to be done at most companies, with less than one-quarter of our survey respondents saying their company was meeting the halfway mark.
The road(s) ahead
Fraud didn’t start with pandemic, of course. As our discussions with more than 640 executives for this report reinforced, fraud—in all of its increasingly complex forms—has been on the rise for years. Yes, the pandemic supplied some very favorable tailwinds. But most companies had already been losing ground on what increasingly felt like whack-a-mole efforts to battle the triple threats.
The choice for most companies today is one of resolve versus resignation: aggressively expand defense measures or simply accept fraud as an inevitable loss-leader for the business.
Our own KPMG security specialists fall squarely on option #1. We believe companies can make a significant impact on the triple threats with a five-step approach:
- Set the right tone from the top
- Carry out a risk review
- Communicate effectively
- Strengthen detection
- Create a culture of enforcement and accountability