Marsh-RIMS study: Cyber-attacks and Volatile Weather are Top Risk Concerns for India Inc
For the second year running, large-scale cyber-attacks have emerged as the top risk for India Inc., followed by extreme weather events and data fraud, according to the findings of the Marsh RIMS Excellence in Risk Management India – State of Risk Management in India 2019, a joint report by Marsh, a global leader in insurance broking, and RIMS, the risk management society™.
Around 62% of the 179 survey respondents, including C-suite executives and senior risk professionals across 23 industries, identified cyber-attacks as the top risk. Extreme weather events (17%), data fraud or theft (10%) and fiscal crisis (9%) were among the other top risks for India Inc.
With the region facing several risks related to climate change — from more frequent and higher intensity storms to drought and water crises — it was not surprising to see weather events emerge as a high priority risk concern.
India, like other countries, has been susceptible to malicious cyber-attacks and fallen prey to lax cybersecurity protocols. Despite growing anxieties around cyber, traditional security strategies and investments continue to lag. “For organisations focused on balancing their growth plans and cybersecurity priorities, challenges and opportunities remain. Ultimately, to capitalise on technology-based opportunities, the digital literacy and competency within organisations need to keep pace with the evolution of cyber threats,” said Sanjay Kedia, Country Head and CEO Marsh India.
“Quantifying cyber risk can help organisations make better-informed capital allocation decisions, enable performance measurement and frame cyber risk in the same economic terms as it does other enterprise risks,” he said.
Impacts of Cyber Risks May Vary
India was the second-most affected country when it came to targeted cyber-attacks between 2016 and 2018, according to Symantec’s Internet security threat report (ISTR). However, despite India being one of the most affected countries in terms of the number of cyber-attacks, many Excellence India survey respondents feel that their company has yet to be greatly affected by a cyber-event. Nearly 70% of respondents said their organisation had felt no or only a minor impact from a cyber event in the past 24 months.
Among Excellence India respondents, 47% said their organisations have a high level of data security that includes defined and communicated policies, technical controls and online monitoring processes to prevent information leakage. This likely includes a significant number who are expressing an inflated sense of their preparedness, which can create additional issues.
That leaves more than half of respondents identifying as having less-than the highest security measures in place or not knowing whether they have adequate data security.
Aligning Risk Management Framework and Investment in Risk Management
This year’s Excellence in Risk Management India report delves into the maturity of the risk management function in India. Survey findings show that traditional cybersecurity strategies and investments continue to lag, despite a clear need for more effective risk management in India. The good news is that more companies recognise the importance of implementing a comprehensive risk management framework to improve their ability to manage risk and turn it into a competitive advantage.
The Excellence India survey found an overwhelming desire from respondents to make a stronger connection between risk management and strategic planning for the business. About two-thirds of respondents said that integrating risk management into strategic planning was their top investment priority for 2020.
More than 68% of the respondents listed investing in “integrating risk management into strategic planning” as the top priority when it comes to strengthening the risk management function in 2020. Another 15% rank investing in upgrading risk management technology as a top priority, however, close to 11% of the respondents indicated that building risk management capabilities is not an investment priority.
Lack of a Formalised ERM Program and Technology Adoption
Globally, enterprise risk management (ERM) programs — sometimes referred to as strategic risk programs — have taken hold and become the norm in many regions. Excellence India respondents, however, said the lack of a formalised ERM program was the biggest performance gap in their organisations’ risk management functions.
In what can be viewed as a related choice, most respondents ranked educating other (non-risk) employees on key risk management practices as the second performance gap. Taken together, filling these two gaps would go a long way toward integrating risk management into strategic planning — the top investment priority in 2020.
According to the 2019 Global Cyber Risk Perception Survey, many businesses are embracing technological innovation without adequately assessing the cyber risks of new technology. More than three-quarters of respondents cited at least one innovative operational technology — including cloud computing, proprietary digital products and connected devices/IoT — that they have adopted or are actively considering.
And yet, while 74% of firms said they evaluate technology risks prior to adoption, just 5% said they evaluate risk throughout the technology lifecycle — and 11% do not perform any evaluations. An effective ERM program can increase the likelihood that such evaluations will be ongoing.
Insurance Solutions for Emerging Risks
Given the nature of emerging risks, it’s no surprise that just 28% of Excellence India respondents said the insurance coverage available for emerging risks meets all of their organisation’s needs, and 55% said it meets most, but not all.
Looking back to the top risks identified by Excellence India respondents, it’s worth noting that either cyber-attacks or data fraud/theft were ranked as the number one priority by more than 70% of respondents, with extreme weather accounting for another 17%. These are high-profile emerging risks, with seemingly ever-increasing losses as technology opens up new cyber vulnerabilities and climate change heightens weather risks.
Only 7% of respondents believe that current insurance options do not meet any of their organisation’s needs around emerging risks. There were no chief executive officers or chief risk officers that held this view. At the same time, respondents who were treasurers or controllers said that available coverage meets some or all of their organisation’s insurance needs for emerging risks.
The survey shows that the risk managers on the ground and those closest to their organisation’s financial health were the only two groups to believe that the insurance coverage available in today’s market does not meet their organisation’s needs when it comes to key emerging risks like cyber and data-related risks.