Participants in 2019 Global Risk Management Survey ranked cyberattacks and data breaches as #6 in the top 10 risks currently facing organisations. The risk entered the Top 10 list for the first time (at #9) in 2015 and is projected to go from #6 to #3 in the next three years. As a result it is seen as no longer an if, but when a business will experience a cyber attack.
Startling figures have changed the public perception of cyberattacks:
- Malware attacks in SA increased by 22% in the first quarter of 2019 compared to the first quarter of 2018, translating to around 13,842 attempted cyberattacks per day – Kaspersky Lab.
- A data breach in South Africa costs an average of R36.5 million – IBM security study conducted by the Ponemon Institute.
When we break it down by industry; banks, retail, healthcare, insurance and technology companies consider cyberattacks or data breaches the top risk. These sectors rely heavily on digital advances to improve operational efficiency and increase their competitiveness. They were also the targets for the majority of mega cyberattacks in 2018.
Why have cyberattacks and data breaches become so rampant?
Our 2019 Cyber Security Risk Report highlights some of the vulnerabilities:
- The rapid expansion of operational data from mobile and edge devices, along with growing reliance on third-party—and sometimes even fourth-party—vendors and service providers, are heightening cyber risks.
- The combination of faster networks and vulnerable devices – Internet of Things (IoT) and the forthcoming transition to 5G – opens more doors to destructive threats.
- Employees remain one of the most common causes of breaches. In a 2018 Aon survey, 53% of respondents said their companies experienced an insider-related attack within the previous year. When an employee of a large healthcare company inadvertently opened a phishing email, nearly 80 million patient records on his system ended up in the hands of a foreign government.
- As the number of merger and acquisition deals rises (M&A deal value topped US$4 trillion in 2018), companies with a flawless approach to cyber security might have acquired a target that lacks cyber protection measures.
- Organised crime is now using former intelligence members for more sophisticated attacks, while state actors are both broadening the nature of their attacks and increasing their frequency.
- Lastly, an ever-changing set of regulations from governments around the world compounds the difficulties of managing cyber risks.
Despite the fact that the breadth and scope of cyber coverage has increased substantially since 2017, only 27% of participants in the 2019 Global Risk Management Survey from the Middle East and Africa region purchased cyber insurance.
Top industries purchasing cyber insurance are as follows:
- Investment and Finance – 83%
- Healthcare – 81%
- Retail Trade – 78%
- Banking – 75%
- Insurance – 73%
Given that technology continues to impact every job function, from the CEO to the entry-level intern, I believe that it is imperative for organisations to establish a comprehensive approach to cyber risk. Businesses must continually assess their overall cyber risk profile, remediate where recommended and proactively manage their defenses.
Cyber risk assessment
The use of cyber risk assessments has risen 16% since 2015. However, only 59% apply any formal process to identify and evaluate cyber risks.
This means that a significant number of boards and executives are making strategic risk management decisions with little to no data-driven insights when they tackle one of the most rapidly evolving risks.
Of those risk management teams that are involved in cyber risk assessment activities, there has been a positive increase in the application of quantification techniques to 40%, up from 23% in 2017, to evaluate the financial exposures from cyber risks.
Despite the increase, the majority of risk assessments are still not using any financial metrics to communicate the materiality of cyber exposure. The outputs from these assessments are not presented in a way that senior executives can understand their financial risk appetite, nor does it support data-informed capital allocation decision-making.
Although there appears to be a positive correlation between the upward trending of risk assessments and quantitative techniques and the increase in captive utilisation (from 8% in 2015 to 16% in 2019) and insurance procurement (21% in 2017 to 54% in 2019), risk management teams need to be more actively involved in bridging the gap between technical cyber risk assessment activity and the enterprise risk management framework.
It is important for risk managers to gain a better understanding of the impact of cyber risk as the risk that cyber-crime poses affects all companies, big and small. The insights and guidance from an expert who can provide a holistic offering of advisory and security services is invaluable to enable organisations to anticipate and effectively manage their exposures.