Cybersecurity should be a board room topic, so why isn’t it?

In the land of lies, damned lies and statistics, the insurance industry may be one of the more trustworthy sources. After all, it is founded on maths, its actuarial background built into every policy and claim. As purveyors of protection against all risks, insurers cares less about which risks are more important, and more about the relationship between premiums and pay-outs. Indeed, getting this equation wrong is potentially the biggest risk the industry faces.

So, when insurance giant Allianz reports that cybersecurity is the second most important business risk, according to over 1,900 respondents globally, we would do well to sit up and listen. To put this in context, over the past five years it has climbed from 15th position, so why? First and simply, the number and complexity of cyber attacks is growing. This is to be expected, as it mirrors technology’s increasing impact and complexity: the bad things are dark mirrors of the good.

The organization also cites GDPR as a significant driver, not in causing breaches but in how they may result in a conssiderable fines. “Many businesses are waking up to the fact they have potential vulnerabilities, and the realization that privacy issues create hard costs will emerge fairly quickly once GDPR is implemented,” says Emy Donavan, Global Head of Cyber at Allianz Global Corporate & Specialty (AGCS).

But wait, there is more to this. The Allianz survey is global, across 80 countries. An appendix shows how Nigeria sees theft and fraud as the biggest cause of business risk, while in Croatia it is legislative change, and so on. In the USA and UK meanwhile, as well as Austria, Belgium, Brazil, Australia, India, South Africa and Singapore, cyber incidents take top spot in the risk charts. Cyber is the number one risk in the Media, Financial Services and Legal, and indeed the Technology and Comms sectors. It’s also top risk for mid sized companies.

And, to cap it all, let’s just look at the number one business risk — business interruption (BI). “ Whether it results from factory fires, destroyed shipping containers, or, increasingly, cyber incidents, BI can have a tremendous effect on a company’s revenues.” What’s that you say, cyber incidents is one of the main causes of the main business risk? Indeed, it’s the first in the list, according to respondents, before fire/explosion or natural catastrophe.

In other words, while cyber incidents pose a significant challenge by themselves, their consequences can be even greater— it’s difficult to escape the conclusion that cybersecurity should be a boardroom topic right now. The good news is, organizations large and small are well aware of the challenge, are they not? Well, no, says AGCS UK CEO, Brian Kirwan. “Far from being over-hyped, the threat is under-appreciated and not always well understood.”

I’m not sure any additional comment is required, other than that the conundrum around cybersecurity remains as astonishing as ever. Behind the figures lies a simple truth, that business continuity today means data continuity. While no person is indispensable in an organization, take away its sensory capabilities and you render it useless.

On the upside, and rightly so, insurance companies such as Allianz do have insurance products, and indeed whole practices, to help organizations protect themselves against such risks. But this is missing the point. While it is difficult to get a clear answer (that’s the nature of denial) the corporate position still appears to be that dealing with cyber-threats is too complicated to address, so we’ll all just cope with the consequences.

This frontier town attitude never worked, and it is going to become even less viable really soon. We are at the start of a wave of machine learning, which will grow rapidly in scale over the next few years: you don’t have to be a guru to work that one of the softest targets for semi-intelligent bots will the highly vulnerable defences many organizations still have around their data centers. Corporate psychology will shift quickly from hoping cyber incidents will happen to somebody else, to finding that the paltry and permeable protections have already been breached.