Cyber threats continue to be top of mind for businesses globally, with incidents such as IT outages, ransomware attacks and data breaches ranking first among global business risks for 2023, for the second year in a row, according to Allianz Global Corporate & Specialty’s annual risk barometer released last month. Its analysis shows that the frequency of ransomware attacks remains high, and the average cost of a data breach is at an all-time high of $4.4 million and is expected to rise to more than $5 million this year. The war in Ukraine and broader geopolitical tensions have increased the risk of a large-scale cyberattack by state-sponsored actors.
Meanwhile, at the World Economic Forum̵7;s gathering of business and financial leaders in Davos, Switzerland, in January, experts predicted that 2023 will be a breakthrough year for cybersecurity. An expanded threat landscape and increasingly sophisticated cyber attacks were cited. For the first time, widespread cyber crime and cyber insecurity were ranked among the most serious risks of the next 10 years in the WEF’s Global Risks Report. Cyber attacks against critical infrastructure were also ranked among the most immediate crises with the greatest potential impact on a global scale.
The opening weeks of the year appear to have confirmed this, with the UK’s postal service suffering a ransomware attack – suspected to have been caused by a hacker group with links to Russia – disrupting its international export services. In the US, thousands of flights were grounded after a computer outage at the Federal Aviation Administration, although the FAA continued late last month to say it had so far found no evidence of a cyber attack or intent.
Meanwhile, global geopolitical instability has helped narrow the perception gap between businesses and cyber leaders on the importance of cyber risk management, with 91% believing a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years, based on their responses to the WEF 2023 Global Cybersecurity Outlook – the report. Both business and cyber leaders have a clearer picture of their organizations’ cyber capabilities and vulnerabilities, and cyber issues are more integrated into enterprise risk management and receive more board focus.
But there is still more to do. While cyber and business leaders and boards are communicating more frequently about strategies to overcome cyber threats, they speak very different languages. Cybersecurity experts need to speak less technical jargon, while boards need to help them understand which assets and processes should be prioritized for protection, the WEF report said.
For risk managers and insurers, finding ways to mitigate and insure cyber risks continues to be a challenge. In an interview on page 13, Jennifer Santiago, 2023 president of the Risk & Insurance Management Society Inc. and director of risk management and security at Wakefern Food Corp., shares how risk managers face an erosion of coverage, capacity and cost when deploying cyber coverage for their organizations . Risk managers fear that fewer markets will be willing to underwrite cyber and that more exclusions will be introduced, what Santiago calls “a Swiss cheese policy.” That’s why many risk managers believe it’s critical to create a federal backstop to manage cyber risks—both large-scale cyber incidents and day-to-day cyber risks. While the devil is in the details of how such a program would be structured, momentum is building in the risk management community toward a solution that could alleviate some of the market pressures exacerbated by near-daily cyberattacks and be a positive step for policyholders. But to have any chance of getting through soon in a bitterly divided Congress, insurers must also get on board.