Annual global cyber losses are expected to hit US$6 trillion by 2021, with cybersecurity spending projected to exceed a total of US$1 trillion for the five years leading up to 2021, according to a new report from Aon quoting statistics from Cybersecurity Ventures.
While the immediate costs of a cyberattack can be significant, Aon’s report suggested that damage to a business’s reputation could cost just as much or even more in the long term.
“The reputational crisis resulting from an attack can erode a company’s market value, destroy brand loyalty, limit companies’ digital transformation efforts and even lead to a credit-rating downgrade,” Aon said. “An effective cyber resilience strategy can help mitigate both immediate and long-term financial losses.”
“Some companies still don’t fully understand the impact a cyberattack can have on a business,” said Onno Janssen, Aon CEO of Risk Consulting & Cyber Solutions EMEA. “Understanding the worst-case scenarios and their impact to a business is crucial to developing an effective resilience strategy in which cyber is managed as an enterprise-wide risk across the entire organisation. The cyber threat is amorphous, and the technology it exploits is advancing at a dizzying pace, so the risk landscape is never going to stand still.”
Janssen said business leaders needed to prioritise defending against cyber risk.
“The C-suite will have to aim to constantly improve its holistic cyber risk management strategies to prevent, prepare for and be able to respond to a cyber crisis,” Janssen said. “Ultimate responsibility for all risk management efforts resides in the boardroom.”
Aon’s report outlined four steps for building an effective cyber resilience strategy:
- “Take it to the top”: While cyber risk management should be an enterprise-wide concern, final accountability for understanding the costs and consequences of a cyberattack rests with the board.
- “Unite your business”: Cyber risk is a threat to the whole business, calling for a multi-level response that involves every relevant stakeholder.
- “Get ahead of the game”: Businesses shouldn’t wait for a cyberattack to happen before acting. Incident-response training is critical to preparing a business to respond effectively to an attack.
- “Protect your balance sheet”: Cyber insurance can protect an organisation’s balance sheet by providing a financial payout after a cyberattack, as well as providing pre-loss and post-loss services.