In this Opinion article, Alison Martin, Group Chief Risk Officer at Zurich Insurance Group, takes a look at cybercrime and how this rising, and ever-changing type of risk, poses challenges for the insurance sector;
In a time of increased extreme weather events, looming trade wars, volatile US political rhetoric and rising CO2 emissions – not to mention increased interconnectivity – the risks we face today are from all sides. They also have far greater impact on business than may at first seem obvious. With such a context, caring for business means considering everything that could affect it and demands a truly holistic risk management approach.
Out of the top ten risks by likelihood, cybercrime is listed as number three, according to the Global Risks Report from the World Economic Forum and Zurich. This needs to be a critical point of focus this year. Cyber risks are growing, both in their prevalence and in their disruptive potential. Attacks against businesses have almost doubled in five years, and incidents that would once have been considered extraordinary are becoming commonplace. The cost of cybercrime to businesses over the next five years is estimated to be $8 trillion. This is globally unsustainable.
The WannaCry worldwide cyberattack highlighted the alarming impact of cybercrime beyond financial costs. Crippling hospitals, banks, railways, telecommunication providers and other companies across the globe, it illustrated a growing trend to use cyber-attacks to target critical infrastructure and strategic industrial sectors. This has raised fears that, in a worst-case scenario, attackers have the capability to break into the systems that society depends on.
The insurance industry needs to do more to support clients on cyber risk, starting with improved awareness. There is an urgent need for better tools and models to help customers, encouraging them to see the bigger picture and understand the risks they could face. Now more than ever, they will be looking to their insurers not only to guide them through the unknown, but also to flag these risks ahead of time, helping them to embrace new strategies and develop the necessary resilience to overcome them.
Many organisations, however, do not feel that they are equipped with the tools to manage cyber risks with the same level of confidence that they manage other risks. Emerging leading practices have not yet become part of the standard set of board competencies. For this reason, Zurich, along with the World Economic Forum, has distilled leading practice into a framework and set of tools that boards of directors can use to smoothly integrate cyber risk and resilience into business strategy, forming part of the Advancing Cyber Resilience paper.
A substantial 84% of board members surveyed as part of the paper agreed that better cyber resilience tools and guidelines are needed to support their oversight work, seeking tools to help them fulfil what they see as their fiduciary responsibilities relating to cyber resilience. While it is unlikely that every risk can be avoided, a clear framework for managing risk will reduce the impact of any incident.
The framework of ten principles has been developed with the Forum to help guide board action. While supervisory boards have developed a high awareness for cyber risk in recent years, fighting cybercrime cannot only be based on risk transfer, but also requires greater oversight of the strategic risks and risk management approaches. The principles propose that the board as a whole should take ultimate responsibility for oversight of cyber risk and resilience, assigning one corporate officer accountable for reporting on the organisation’s capability to manage and lead the implementation of cyber resilience goals.
Meanwhile, cyber risk assessment should feed into overall business strategy and enterprise wide risk management, as well as budgeting and resource allocation. After all, cyber resilience has the potential to make or break a business so must be put at the forefront of discussions.
If strategic guidance for decisions like the ones above is not set at the governance level and then lived by the entire organisation, an enterprise cannot ensure its own resilience. Rather than implementing solutions after the problems have occurred, boards and leaders must rapidly enhance their capabilities to prevent attacks, in so far as possible, in order to overcome the significant challenges that lie ahead.