About the author
Roland Thomas
Associate Director | Corporate Development
Roland is an Associate Director in Thomas Murray’s Corporate Development team. He joined Thomas Murray in 2018 with responsibility for group strategy, partnerships and corporate finance. More recently, Roland’s role has focused on establishing Thomas Murray’s cyber risk business, starting in 2021 with the launch of our Orbit Security platform, and the development of our expert cyber risk consultancy. Roland has a BA in English Language and Literature from Oxford University.
In the wake of the worldwide financial crisis of 2008, many of us became familiar with the idea of “globally systemically important banks” – that is, banks deemed “too big to fail” because their fall would spell worldwide trouble.
Now, there is growing concern among academics, policymakers and business leaders about the risk posed by what we’re calling “globally systemically important software companies.” Like banks, software companies are now an essential part of the day-to-day running of every kind of organisation. Unlike banks, however, software companies are not regulated.
This is mostly because leaders in the technology sector have been resistant to any kind of formal oversight, and have successfully argued that regulation would stifle innovation and growth. But it now looks like the freedom enjoyed by the sector may be coming to an end.
Combatting nation-state attacks: The chill of SolarWinds
Back in early 2020, the tech world’s version of a global financial crisis came when the major US IT firm SolarWinds was hacked. The hack – now widely believed to be the work of Russian state operatives – resulted in SolarWinds inadvertently sending out a malware-infected update to 33,000 customers using its Orion system. Those customers included government agencies, universities and big tech firms, including Microsoft.
One upside to the hack may have been that it finally gave tech companies and the US government common cause, with Microsoft and other major tech companies all investigating Russia’s involvement in the SolarWinds attack.
Tech companies and governments recognise that Russia is not the only nation-state threat actor – that is, it is not the only country that uses cyber attacks as part of its offensive capability. China was behind several attempts to hack the London 2012 Summer Olympics, for example, and North Korea is believed to fund its nuclear development program through ransomware attacks on hospitals.
This closer co-operation between big tech firms and governments (the US government in particular) to combat nation-state attacks could pave the way for regulatory legislation – which would likely be drafted with significant input from the sector’s leaders.
The Digital Services Act: The EU sends a message
While the US is inching cautiously towards putting restraints on tech companies, the EU is showing less patience.
In April 2022, the EU revealed its proposed Digital Services Act (DSA). A lot of attention has been paid to the most prominent aims of the draft law, which are to combat:
- the spread of misinformation and illegal content; and
- the trade in illegal goods and services.
However, in conjunction with the EU’s Digital Markets Act (which came into force in November 2022), the DSA would offer the EU a previously unthinkable amount of power – not just over social media platforms and online traders, but over cloud services and internet providers too.
Why now?
There are two major drivers behind this shift towards greater regulation of the tech sector:
- Evidence that large, sophisticated, and well-established tech firms like Microsoft can fall victim to third-party hacks has made policymakers feel more confident about public support for greater controls on the tech sector.
- Now that software companies are as essential to our daily lives as electricity and running water, there is increased awareness that public safety and the integrity of the global business network outweigh the right of tech companies to grow unchecked.
Until these regulations become a reality, however, you should continue to take steps to continuously assess your own threat environment.
In particular, you should consider whether your sector is exposed to one or several systemically important software companies – software which you and your peers rely on, and which could trigger a wider problem if it fails.
At Thomas Murray, we combine 30 years’ experience in the world’s most complex sectors with our award-winning cybersecurity technology to monitor in real time the financial, operational, and cyber risk of thousands of organisations across more than a hundred markets.
Talk to us about how we can protect your organisation, your assets, your clients and your data.