Although it seems inconceivable today, just six years ago the World Economic Forum did not rate cyber security anywhere near a top risk. The danger of a breakdown in “critical information infrastructure” or significant data loss and fraud was considered comparatively low in terms of likelihood and severity.
A VERY MODERN RISK
What a difference six years, Wikileaks and a band of Russian hackers has made. So much so, in the Global Risks Report 2016, experts consider the possibility of cyber attacks to be the seventh most concerning global risk over the next 18 months.
No longer solely a concern of governments, cyber security is now foremost on the corporate agenda too. And with good reason: the increased digitisation of both the public and private sectors has been matched by an escalation in the extent, impact and cost of cyber attacks.
The Marsh & McLennan Companies Cyber Handbook 2016 reports that data breaches will cost around $2.1 trillion globally by 2019, a four-fold increase from 2015.1 In this article we summarise its key outcomes and recommendations.
Both governments and industry realise that awareness of cyber risk is vital in countering and mitigating attacks. In the US, reporting of high-profile breaches has encouraged a greater level of general awareness. From 2018, the EU’s General Data Protection Regulation will direct governments and corporations to report data breaches in the hope this will foster greater public–private cooperation. Individual companies must follow suit and develop a cyber-risk plan that covers early detection, response and recovery to avoid disruption to business continuity.
A SHARED RESPONSIBILITY
As technology and digital connectivity evolve, companies globally face menacing new threats every day – even as cybersecurity improves. At the same time, countries now confront a stark new reality of threats against physical assets, including electricity grids, dams, telecommunication networks, transportation systems, and civilian nuclear facilities.
Due to the corporate sector’s shared role in running these assets, actions by governments to increase national cybersecurity need to be matched by private industry. Although individual firms have taken certain measures, the report suggests cyber threat is a shared issue and there is little advantage in going it alone.
In response, more than 30 countries – including Germany, Italy, France, the UK, the US, Japan, and Canada – have unveiled cybersecurity strategies that foster collaborative information sharing between the public and private sector.
Insurance companies have spotted a gap in the market created by cyber risk, and total annual cyber-insurance premiums are currently estimated at $2 billion, with a predicted jump to $20 billion by 2025. The US currently dominates the market, purchasing around 90% of cyber insurance, but interest is growing in Europe. Nearly 25% of European risk managers intend to look into cyber insurance within the next 24 months, and 20.6% of UK risk managers are purchasing now.2 However, without first comprehensively quantifying the risk of a breach, companies may find themselves inadequately insured.
As both the public and private sectors become increasingly digitised, managing cyber risk must become a key part of business operations.
For articles, report extracts and perspectives from cyber specialists, download Marsh & McLennan Companies Cyber Risk Handbook 2016. The handbook covers a wide range of topics, from changes in the external landscape to developments in cyber-risk quantification techniques to cyber-security-related HR strategies.
1.Juniper Research. The Future of Cybercrime & Security: Financial & Corporate Threats & Mitigation 2015–2020, 2015.↩
2.Betterley Risk Consultants. The Betterley Report: Cyber/Privacy Insurance Market Survey, 2016; Heller M. “Cyber Insurance Market to Triple by 2020”, CFO, September 2015; Marsh. “Benchmarking Trends: Operational Risks Drive Cyber Insurance Purchases,” March 2016.↩