Insight

A united defense against a triple threat

Findings from the KPMG 2022 Fraud Outlook

Marc Miller

Marc Miller

Partner, Risk & Compliance Leader, KPMG US

+1 212-872-6916

David Nides

David Nides

Principal, Cyber Security Services, KPMG US

+1 312-665-3760

Fraud, compliance concerns and cyber attacks have become the costly norm for North American and Latin American companies. These threats are increasing in scope, number, and severity, and the COVID-19 pandemic has made things worse. But many companies do not have adequate defenses against these threats, even though the average combined loss from fraud, data breaches, and regulatory fines can be more than 1 percent of their profits.

These are some of the key findings from A triple threat across the Americas, the KPMG Fraud Outlook for 2022.

In North America —

  • Two-thirds of respondents expect external fraud to increase in the next year.
  • 84 percent say that cyber risk will grow.
  • 73 percent expect compliance risk to rise.

In Latin America —

  • Respondents’ companies are more than twice as likely to experience internal, or occupational, fraud as compared to those in North America.
  • Over a quarter of respondents are unsure if their companies fully meet local rules with respect to corruption and money-laundering regulations.

We call these triple threats a ‘threat loop’ because each threat adds to the potential damage inflicted by the others. We believe that defending against this threat loop requires a collective, interconnected effort. Companies need to look at the impact created by these threats in conjunction, rather than just the risks they pose separately. This requires a comprehensive risk assessment backed by data analytics, a close study of compliance measures and fraud mitigation efforts, a review of remote and hybrid working environments, and a careful monitoring of cyber threats.

A holistic risk assessment

An effective risk assessment should identify risks and support the effective distribution of resources for risk mitigation. Mitigating low-level risks should not drain valuable resources from addressing more critical risks. Companies should identify their primary risks first, identifying gaps in defenses and taking immediate steps to fill these gaps. In identifying these risks, companies should also keep in mind that today’s threats are interconnected. For example, the lack of compliance in the IT department could lead to a cyber breach that, in turn, might lead to an incident involving fraud.

A rigorous risk assessment requires buy-in from the CEO, the board, and upper management. Decision makers need to clearly understand the significant costs of these interconnected threats in terms of reputational, financial, and operational damages. Backed by executive buy-in, the company’s compliance and legal departments can develop the resources they need to identify risks, mitigate potential threats, and build a culture of enforcement and accountability.


The cost of fraud and non-compliance

In our study, 55 percent of respondents acknowledge that their businesses have paid regulatory fines or suffered financially due to compliance violations in the past year. Undiscovered instances of fraud and non-compliance mean that these numbers are likely to be unrepresentative, and the underlying problem may be even larger.

Costs from compliance issues and fraud are greater depending on company size. Respondents from large companies (defined here as those with annual revenues of over $10 billion) say that, on average, their companies lost 0.7 percent of net profits to fraud last year and paid 0.8 percent of net profits as fines for non-compliance, for a total of 1.5 percent of their net profits.

Compliance officers can use data analytics and other advanced technologies to gain deeper insight into potential misconduct, non-compliance and cyber threats and address vulnerabilities within the company and among outside suppliers, vendors, and business partners.

The survey findings highlight the inter-dependencies, chain reactions, and peripheral consequences of cause and effect between fraud, non-compliance and cyber risks. Weakness in one area can create risk in the other two areas. Collectively, the harm can be catastrophic, so focusing on all three is crucial to manage risk.
-Marc Miller, Partner, Risk & Compliance Leader, KPMG US

Security threats with remote working

Remote working has reduced the ability of companies to monitor behavior, which can increase fraud risk and create major cyber security weaknesses. According to our study, “nearly nine in 10 respondents say that working from home has negatively affected the effectiveness of their companies’ fraud prevention measures, compliance risk mitigation or cyber security. For some, it has damaged all three.”

For example, confidential meetings that used to occur in person are now often held online. This raises a number of questions about the security and integrity of these meetings. Are the meetings being recorded? Who has access to those recordings? Are there unwanted listeners online or in the rooms? Are there vulnerabilities in the software platform(s) being used? Online meetings can put sensitive information at risk, and bad actors that capture this information can sell it on the dark web for insider trading purposes, competitive intelligence-gathering, or broad distribution to unintended audiences.

If companies are not doing continuous external scanning for hardware vulnerabilities, software vulnerabilities, and misconfigurations, cyber attackers are doing this for them.
-David Nides, Principal, Cyber Security Services, KPMG LLP

Furthermore, if a company suffers a cyber attack, the compliance team may not have appropriate and immediate access to physical hardware to address the situation. In traditional office settings, laptops can be physically sequestered from a network, and data can be collected from workers in person. If a company does not have the ability to investigate with speed and precision, the risk of not uncovering the full extent of the attack will only increase.

Steps for companies to consider

Our study suggests that many companies might have room for improvement in the way they address the threat loop of non-compliance, fraud, and cyber attacks.

For example, 60 percent of U.S. respondents report that their suppliers and customers are increasingly demanding proof of compliance with data-privacy regulations, and 48 percent say the same about corruption and money-laundering legislation. However, very few respondents say their companies reflect international best practices in their anti-corruption compliance (18 percent), environmental compliance (21 percent), and anti-money-laundering compliance (22 percent).

In the same way, 70 percent of respondents report that their companies uncovered fraud over the past 12 months. But only 35 percent of U.S. respondents say their companies have a program in place to prevent, detect, and respond to fraud.

Finally, 81 percent of respondents are “somewhat or completely satisfied” with how long it takes their companies to recognize a cyber attack. However, respondents tell us it takes about a month, on average, for a cyber attack to be fully contained, suggesting a potentially fatal lack of urgency.

Companies to address the threat loop of non-compliance, fraud, and cyber attacks:

  • Implement a comprehensive enterprise risk assessment process that includes fraud and misconduct, compliance issues, and cyber security weaknesses that focus on actual — not hypothetical — risks.
  • Promote a culture that encourages ethical conduct and a commitment to compliance. As part of this, senior management should establish standards and procedures to prevent and detect fraud, mitigate cyber security risks, and monitor regulatory compliance.
  • Develop and publicize ways for employees and relevant third parties to report suspected wrongdoing and seek advice about laws, regulations and company standards of conduct. Organizations where employees believe they have a responsibility to raise their hands and report misconduct are the ones that will likely detect fraud, non-compliance, and misconduct early.
  • Understand the extent of the company’s exposure to cyber-attacks. Traditional cyber risk assessments often occur only on a monthly or annual basis and are relatively targeted in nature, but companies should conduct continuous external scanning for hardware vulnerabilities, software vulnerabilities, and misconfigurations. Having an operationalized technology and process to identify and remediate threats against the attack surface is critical.
  • Adopt leading practices around identity protection and security. Measures like multi-factor authentication are generally low in effort but high in value.

Most companies have some defenses in place, but comprehensive excellence is rare. Meanwhile, non-compliance, fraud, and cyber attacks represent a clear and potentially expensive threat that will only increase in the future — all the more reason to strengthen the company’s threat-mitigation capabilities, starting today.

About the Research

  • More than half of respondents are board members, members of the C-suite, or department heads
  • Respondents are evenly divided across seven major industries:
    • Industrial manufacturing
    • Consumer products and retail
    • Energy and natural resources
    • Financial services
    • Insurance
    • Life sciences and pharmaceutical
    • Telecoms, media and entertainment and technology

 

Based on a survey of 640 executives

Respondents represent companies across a range of sizes:

KPMG LLP does not provide legal services.