Reid Sawyer
Managing Director, Head Emerging Risks Group, Marsh
New Cyber Threats and Regulations Call for Urgency
Increasing reliance on technology by businesses has opened the door to greater cyber risk. In the Global Risks Report 2019, business leaders again ranked cyber-attacks as a top 5 risk and the peril most likely to intensify this year.
While environmental risk joined this year’s top 5 list, cyber remains a more pressing peril because it is quickly changing and its potential economic impact is escalating. As Marsh cyber leaders emphasized in the recent 2019 Cyber Landscape webcast, the time frame to address cyber risk is as short as 12 to 18 months.
An Urgent Risk Priority
Cyber risk is dynamic, continually morphing, expanding, and shifting targets, and challenging our expectations and assumptions. Unlike more familiar types of risk, such as natural disasters, cyber is proving more difficult for businesses. Over the years, cyber risk has evolved from “straightforward” phishing and data theft to sophisticated malware that hijacks systems. This has caused billions of dollars in damages and loss, underlining the need to manage cyber as a critical and ongoing business priority.
And the risk exposures are increasing. The accelerating adoption of new technology and digital devices within businesses creates an ever larger surface for attackers to infiltrate, more points of vulnerability, and new junctures for operational disruption.
Globally, a wave of new regulation — such as the European Union’s General Data Protection Regulation — is raising the stakes for management accountability, risk disclosure, and data practices, with potential for significant financial penalties. This momentum is expected to continue, with regulators increasingly focusing on privacy — particularly around data brokering — and seeking to hold businesses accountable for their use of new and emerging technologies. That aligns with the view of three-quarters of webcast attendees, who believe governments should do more to regulate cyber.
Managing Cyber Risk
Responsibility for cyber risk management lies not only with policymakers; businesses themselves need to take concrete action now. They must treat cyber as a strategic risk by:
- Applying the same discipline and rigor as they do to other strategic risks, approaching it as a fundamental, continuing problem-solving function.
- Quantifying cyber risk in terms of economic impact, to optimize investment allocation and return on investment evaluations.
- Avoiding viewing cyber risk solely as a technology issue or delegating to IT, and instead engaging key stakeholders across the organization.
- Capturing a complete picture of supply chain cyber risk and quantifying suppliers’ cyber exposure.
- Purchasing standalone cyber insurance coverage to complement technology and mitigation efforts.
- Developing a cyber risk management strategy that achieves current risk management needs and anticipates new regulatory expectations.
Cyber risk is evolving faster than any other type of risk, with the potential to inflict major financial and infrastructure damage in ways and on a scale we cannot yet define. Organizations can’t address it annually, defer to next year, or treat tactically. It’s time for all companies to adopt a sense of urgency about cyber risk, and begin to manage it strategically, quantitatively, and resiliently.
Listen to a replay of 2019 Cyber Landscape: New Regulations, Risks, and Management Expectations.