Webcast: Understanding, Measuring, and Managing Fast-Evolving Cyber Risks
Corporate spending on cyber risk is at an all-time high, but so are cyber losses, crossing into the trillions of dollars, according to panelists on Marsh’s New Reality of Risk® webcast.
Advances in technology, fast-innovating attackers, and a changing regulatory landscape are among the factors leading to this reality, explained Kevin Richards, Marsh’s global head of Cyber Risk Consulting. “The narrative on cyber risk is still evolving,” he noted.
While organizations are trying to abide by regulatory requirements, this is often not sufficient. Instead, organizations must determine their individual risk profiles through quantification exercises that put cyber on the same page as other operational risks. “Quantification provides a benchmark metric that allows for comparison to other internal enterprise risks as well as externally with industry peers,” Richards stressed. However, barely half of audience members participating in a poll during the webcast said their organizations have quantified their potential cyber exposure.
Bob Parisi, Marsh’s US cyber product leader, pointed out that businesses are starting to recognize that there is no technology “silver bullet” to preventing cyber-attacks. “It’s less about security and more about resiliency,” he said. While businesses are starting to recognize that cyber is an operational risk, most don’t have the mechanisms to handle it as such. And less than 80% of the audience said their organizations currently purchase cyber insurance, leaving many companies with big exposures.
Stephen Viña, a senior vice president in Marsh’s Cyber Practice, spoke about the risks associated with artificial intelligence, the Internet of Things, blockchain, and cryptocurrency. Companies, for example, are not always aware of the vulnerabilities of their own AI systems and how this “intelligence” is evolving. With more devices being connected to the Internet, hackers have a broader attack area and are leveraging device vulnerabilities to infiltrate company networks.
And while blockchain presents tremendous opportunities, companies need to determine how it will interact with legacy systems and policies. Meanwhile, cryptocurrency carries three main risks:
- Legal uncertainty regarding its definition, with governments and regulatory bodies still trying to build a regulatory framework around the use of crypto assets.
- Security of crypto funds as they move from one place to the next.
- Governance of companies behind crypto currency.
The webcast also looked at the regulatory landscape surrounding cyber, including the EU’s General Data Protection Regulation (GDPR) and the recently enacted California Consumer Privacy Act (CCPA) that will go into effect in January 2020. Jeffrey Batt, a vice president in Marsh’s Cyber Practice, explained that the GDPR creates real financial consequences for companies that don’t abide by privacy and data security best practices. Likewise, the CCPA will raise the bar when it comes to data protection and privacy, adding real consequences for companies that don’t comply with established standards.
The panelists discussed evolving cyber insurance markets, which have experienced significant growth in the past years. Today, insurers are willing to provide broader coverage to keep pace with businesses’ changing risk profiles and are building solutions that are targeted towards small and medium enterprises.