Digital trade is a requirement for business today. When a product or service requires internet connectivity or has a computing device as part of the product, it introduces the risk of cybersecurity. Today, there are concerns about the data collected especially related to confidential individual information. These products are subject to increased inspection and can be banned if anything is considered suspicious. COmpanies dealing with products, especially across borders must have mechanisms in place to mitigate such risks.
These concerns may extend to a range of equipment including among others computers, networking equipment, medical devices, security services, conferencing tools, smartphones, drones, smart toys, software and payment systems. Hence it is not a question of if but a when and how for companies.
A patchwork of rules.
The perceived cybersecurity risks for digital devices are the same for all countries. However, each country has a different set of rules to address these concerns. Hence companies have to deal with a host of fragmented rules that may be different for each country and pose a distinct threat to companies that do business across boundaries.
Government capability in managing risks.
Governments use their laws, regulations to manage these cyber securities and implement the same through designated agencies. They create awareness programs, train, educate and collaborate with agencies.
However, Government can’t conduct a thorough inspection of digital products especially software with millions of lines of code. Most decisions are taken based on perceived risks, which depends on the relationship between the government and business. The trust developed between the two can influence the cyber security risk management policies.
Geo-politics:
Many times, a product or a company may be a victim of international politics as happened in the case of Huawei-5G. The US banned it and its allies followed in its footsteps. The perceived cyber risks could easily have been mitigated by setting up monitoring and reporting systems. However, some allied countries considering other factors unique to their policies continued to use these products despite being a partner of the US
Hence, the challenge for companies is to predict how the countries, they do business in, would react to the technology or the equipment they bring into the country. Hence they need to develop a strategy and a method to anticipate outcomes and mitigate unfavourable factors.
Define an active strategy.
The cybersecurity laws are unique to every country and there are no common parameters that would help you define how the systems should work and comply with the regulations. Hence company’s have to take an active approach to define their global digital strategy. This would enable them to be prepared to address concerns when they come up.
Build an effective cyber security culture.
Building security features into the product has become an essential part of the development and companies should promote a cyber security culture within the organisation. Follow the international standards and have a flexible governance system that would adapt and comply with different policies of the markets you address.
Be prepared to defend and create an appropriate image.
The reputation of a company is crucial to reassure the customers over their cyber security concerns. Companies should actively promote their cyber security policies and build up their reputation with the target market. A high reputation could help the company avoid the politicization of security issues.
Be willing to step out and step back in:
It may be prudent to exit a market where it is very expensive to comply with cyber security requirements. It is important to defend the company’s reputation to sustain its market in other countries.
At the same time, companies should be ready to re-enter the market when the restrictions apply to a part of their operations or the security concerns have been addressed adequately.
Help the government address cyber security concerns:
Companies should actively seek to aid the governments to build capabilities to address these risks. It can help the government implement policies to mitigate cybersecurity risks without introducing barriers to business.
Develop bargaining power:
It is important to develop and maintain trust and collaboration with the decision-makers. Companies can build their influence through trade associations, groups to recommend model cybersecurity standards. Governments may not have the capability and may take help from such global associations.
Every company that markets digital products across countries must have an effective cybersecurity policy that addresses the geopolitical relationships, capability, technology and reputation. All companies are likely to face such cybersecurity concerns sooner than later. It is better to be prepared and have a plan of action ready to address this issue proactively.
Navigating Cybersecurity Risks in International Trade
by Keman Huang, Stuart Madnick, and Fang Zhang
HBR 2021/12
R2G 