Cyber security – risk mitigation
Recent reports from Aon and Zurich demonstrate the increasing importance that corporates are placing on their vulnerability to cyber attacks
Aon Risk Solutions, the global risk management business of Aon plc, recently unveiled the key risks as identified by its clients across the globe. For the first time ever, cyber risk entered the top 10 at number nine, reinforcing its emergence as a key risk factor. Damage to brand and reputation was cited as the top overall concern facing global organisations, further underscoring the increasing importance of cyber risk as it has been regularly linked to brand and reputation issues in the wake of data breaches.
Aon’s global clients strongly felt that damage to brand and reputation ranked as a top concern across almost all regions and industries. This can be attributed to the growing challenges businesses are facing among the risks found in the top 10 list, such as cyber risk, but also including business interruption, property damage and failure to innovate.
The 1,400 respondents to the Aon Global Risk Management Survey included CEOs, CFOs and risk managers, who provided comparative insight into different perceptions of risk. Typically, financial and economic risks including commodity price risk, economic slowdown and technology failure were seen as damaging at C-suite level, with risk managers focused on liability-related risks such as cyber, property damage and third party liability.
Stephen Cross, chief innovation officer for Aon Risk Solutions, commented on the findings: “The insights provided by this survey help us understand how risks are changing as the global environment evolves. It’s little surprise to see cyber risk enter the top 10 at the same time we are seeing increasing concern about corporate reputation as the two issues are a great example of the interconnectivity of risk. What is surprising was the lack of alignment between the Board and the risk manager. Such diverse views illustrate how imperative it is that the board of directors have effective and regular communication with risk managers to effectively assess and mitigate the company’s risk exposure.”
Rory Moloney, CEO of Aon Global Risk Consulting, said: “This is one of the most comprehensive and insightful surveys available on risk mitigation and reveals a number of different challenges driven by today’s globally inter-dependent environment. While new risks such as cyber have moved to centre stage, established risks like damage to reputation or brand are taking on new dimensions and complexities. The interconnected nature of these risks reinforces the importance of strategic risk management in every organisation.”
Risks assessed
Meanwhile, a new report on cyber governance commissioned by Zurich Insurance Group highlights challenges to digital security, and identifies new opportunities for business. It calls for the establishment of guiding principles to build resilience and the establishment of supranational governance bodies such as a Cyber Stability Board and a ‘Cyber WHO’. Zurich and ESADE Center for Global Economy and Geopolitics (ESADEgeo), a leading authority on global governance, published Global Cyber Governance: Preparing for New Business Risks, which proposes new measures to strengthen the global governance framework for managing evolving cyber risks.
The report observes that while emerging technologies such as drones, 3D printing and self-driving cars are fundamentally changing the nature of cyber risk, the current regulation and governance regimes in place globally are inadequate to ensure the security of the world’s cyber infrastructure.
“The existing governance framework from the 20th century cannot be expected to respond sufficiently to 21st century technology,” Zurich’s chief risk officer Axel Lehmann said. “We live in a world full of opportunities, but also risks. There is no better example of this than the relationship between information and communications technologies and cybersecurity. The cyber realm underpins almost all economic and societal activity – from finance to trade, information, energy and beyond.”
We live in a world full of opportunities, but also risks. There is no better example of this than the relationship between information and communications technologies and cybersecurity
Geopolitical and ideological tensions between states, the report points out, are increasingly played out in cyberspace – including over matters of governance. “Growing political instability could be exploited by some governments aiming to reduce capabilities and [the] scope of some technical institutions that provide stability and resilience to cyberspace, thus undermining its multi-stakeholder approach” said Javier Solana, president of ESADEgeo. “Isolating effective cyber governance from the current geopolitical tensions must therefore be a priority.”
Companies in almost all sectors are exposed to cyber threats with the potential to cause enormous damage in terms of reputation and physical losses, liabilities, and regulatory costs. Unchecked, these cyber threats could severely affect technical and economic development globally. “The nature of cyber security is evolving so quickly it can be difficult for businesses to keep track of the risks let alone the solutions,” said Mike Kerner, CEO of General Insurance for Zurich. “It is very clear that businesses that want to protect themselves from cyber security and privacy risks must adopt a mindset of resilience.”
Based on a detailed mapping of the rules, institutions and procedures that form the current global cyber governance framework, the report highlighted opportunities for the private sector, civil society and policymakers to improve the current situation and facilitate the mitigation of cyber threats. Recommendations to policymakers include the creation of a Cyber Stability Board to strengthen global institutions and insulate them from geopolitical tensions, and the creation of a cyber alert system based on the World Health Organization (WHO) to enhance crisis management.
At the same time, the private sector needs to engage in sharing information and employ an approach which will increase their overall cyber resilience in order to address the inadequacies of the framework.