Marsh warning about Hurricane Katrina-scale losses from cloud breach

Marsh warning about Hurricane Katrina-scale losses from cloud breach

Marsh warning about Hurricane Katrina-scale losses from cloud breach Cyber exposure shot into focus in 2017. Dramatic events like WannaCry and NotPetya crippled parts of the corporate sector and forced the business world to wake up to the ever-evolving issue.

Attacks against businesses have almost doubled in five years and the financial impact of breaches is rising rapidly. Indeed, cybersecurity was highlighted as a key issue in the World Economic Forum Global Risks Report 2018, released on Wednesday. It was noted as the risk most likely to intensify in 2018 and the top concern among business leadership in advanced economies.

“Cyber risk is an area where some of the threads in the global risk environment tie together,” said John Drzik, president of global risk and digital at Marsh. “Looking forward, the scale and sophistication of cyberattacks is going to grow, fueled in part by geopolitical friction. This could lead to more state-sponsored attacks to add to the more financially motivated attacks that are already out there.

“Alongside this increasing suite of attackers, cyber exposure is growing within companies, [due to] the proliferation of interconnected devices. Currently today, there are 8.4 billion connected devices out there, which is already greater than the global population of 6.8 billion. That figure is predicted to grow to 20 billion in 2020, so that widens the potential attack surface for companies.”

The use of artificial intelligence (AI) and other emerging technologies is also leading to greater cyber exposure for companies worldwide. But response to the exposure is still under resourced when compared to leading environmental risks like natural catastrophes.  

Estimates suggest that if an attacker took down a major cloud provider, the economic damages could be anything from US$50-120 billion – which is comparable to a Hurricane Sandy or a Hurricane Katrina loss event, explained Drzik.

“The aggregate cost of cyber is now estimated by a number of sources at more than a trillion dollars per year versus the roughly $300 billion experienced in 2017 from losses to natural catastrophes - and that was a record year,” he added. “So, if you think about the comparative scale, cyber is at or above the scale of natural catastrophes - and yet the comparative infrastructure against it is much smaller in scale.

“Think about the government agencies and the voluntary organisations that focus on response to natural disasters versus national cyber agencies, which are much less resourced. [The cyber agencies] have some capacity but not enough to deal with this significantly growing risk. Also, international protocols have yet to really emerge in dealing with cyber risk, and those are going to be needed as well. In the geopolitical climate that we’re in, it’s harder to get to multi-lateral agreements.”

Cybersecurity infrastructure is also lagging in the business world, compared to preparedness for natural catastrophes, according to Drzik. Companies based in natural catastrophe zones tend to have “extensive business continuity plans” to respond to emergencies, whereas only about a third of companies have a cyber incident response plan in place to deal with a major attack.

“This is an environment where businesses could face a wide range of shocks through cyber and beyond,” he added. “It paints a challenging picture for the defense against cyber risk.”


Related stories:
World embarking on “critical period of intensified risk”
Government small business cyber guide too little too late?