The Growing Challenge Of Cyber Risk

How can we prepare?

By John Drzik
This article first appeared in World Economic Forum on January 17, 2018.

A positive outlook for the global economy shouldn’t engender complacency. As described in the Global Risks Report 2018, the rapidly shifting global risk landscape presents a challenging operating and investment environment for businesses.

The pace of change has been increasing, characterized by rapid technological advances, seismic shifts in the geopolitical landscape and growing sources of social instability. The broad range of potential shocks that could emerge in this context demands a strategy that puts a premium on resilience.

The average time companies spend in the S&P 500 index has already decreased from approximately 60 years in the 1950s to 12 years today. The velocity of change in the current environment, creating both new opportunities and new threats, will likely drive down this figure even further.


Source: World Economic Forum, Global Risks Report 2018, MMC analysis


One place where many of these issues come together is cyber-risk. Cyberattacks are perceived as the global risk of highest concern to business leaders in advanced economies. Cyber is also viewed by the wider risk community as the risk most likely to intensify in 2018, according to the risk perception survey that underpins the Global Risks Report.

Exposure to risks from cyber is growing as firms become more dependent on technology. The explosive growth of interconnected devices expands the size of the surface open to cyberattack for organizations — and the number of interconnected devices in the world is expected to jump from 8.4 billion today to 20 billion in 2020. Increased use of artificial intelligence in business processes also heightens exposure to cyber-risks.

At the same time, geopolitical friction is contributing to a surge in the scale and sophistication of cyberattacks, particularly from well-resourced efforts with state backing. Firms, large ones in particular, need to anticipate attacker objectives that range from theft and business interruption to extortion, economic espionage, reputational damage and the infiltration of critical infrastructure and services. This highly diverse and very active set of adversaries makes cyber a very challenging risk to manage.


Awareness of this challenge is growing and investment in cyber-risk management is increasing. However, cyber is still under-resourced in comparison to the potential scale of the threat, a view that’s even more compelling when considered in the context of a more familiar issue — natural catastrophes.

Analysis suggests that the takedown of a single cloud provider could cause $50 billion to $120 billion of economic damage — a loss somewhere between Hurricane Sandy and Hurricane Katrina. And while it’s not exactly apples to apples, the annual economic cost of cybercrime is now estimated at north of $1 trillion, a multiple of 2017’s record-year aggregate cost of approximately $300 billion from natural disasters.

Although cyber-risk management is improving, business and governments need to invest far more in resilience efforts to prevent the same “protection gap” between economic and insured losses that we see for natural catastrophes.

The supportive infrastructure to manage and mitigate cyber-risk is not nearly at the same scale as the one in place for natural catastrophes. National cyber agencies, although expanding, don’t have the same capacity as the public and voluntary sector agencies ready to respond to natural disasters — such as FEMA in the US. Additionally, international protocols for sharing intelligence and mitigating impact, curbing malicious endeavours and forestalling escalation and retaliation are only starting to emerge — and are only endorsed by a few countries at the moment, with no sanctions for noncompliance.

Businesses also need to focus on their resilience to cyber events and generally need to rebalance their initiatives from prevention to response. While companies in at-risk areas often have rigorously developed response plans for extreme weather events, this is rarely the case for cyberattacks. Indeed, research suggests that only one third of companies have prepared an incident response plan for a major cyberattack.

Cyberattacks are perceived as the global risk of highest concern to business leaders in advanced economies


One clear takeaway from this year’s Global Risks Report is that there’s a wide array of potential shocks that could emerge at this time of rapid technological, political and societal change. With firms more leveraged than they were a few years ago — the debt-to-equity ratio has nearly doubled since 2010 for the median S&P 1500 company — their stability is even more vulnerable to these potential shocks and surprises.

Innovation and growth need to be reconciled with risk and stability. More than ever, business leaders need to chart a course for their companies that has a bold strategic ambition to capture emerging opportunities and rigorous resilience planning that matches up against the complex set of risks in the current global landscape.

The Growing Challenge Of Cyber Risk