Allianz’s survey analyzed the most important global business risks for 2022 and beyond, based on insights from 2,650 risk management experts from 89 countries and territories across 22 industry sectors including various other organizations of all sizes.
Cyber Incidents Are the Number One Global Threat
Cybercrime, IT failure/outage, data breaches, and fines and penalties are categorized as the top global business risks for 2022 by Allianz. There has been a 44% rise in all of these areas, compared to 2021. Business interruption (such as physical supply chain disruption) and natural catastrophes (such as weather events and earthquakes) fall to second and third place after cyber incidents, respectively. It is also important to distinguish that cyber risk itself is also a big driver of increased business interruption in the 21st Century. Meanwhile, even the global pandemic outbreak is further down the global risk line at fourth place. Cyber incidents lead the way in the “top concerns around the world” the report states. According to Allianz, “Ransomware and other disruptive forms of cyber-attacks continue to bedevil businesses, while potential risks from digitalization and the shift to remote working are driving growing concern.” Particularly of note is the area of high profile ransomware attacks, coupled with problems caused by accelerating digitalization and remote working, all pushing cyber risk to the top this year, the report states.
Ransomware Dominates the Threat Landscape
The “top cyber exposure of concern” is ransomware this year, accounting for 57% of the survey’s concerned respondents, just ahead of general data breaches, Allianz says. Ransomware has become “big business” for cybercriminals, who have fine-tuned their business models and schemes “lowering barriers to entry and making it easier to carry out attacks,” Allianz wrote. A ransomware attack can now be carried out for as little as $40 with the use of cryptocurrency to evade detection, made easy by the commercialization of cybercrime. Notable forms of ransomware making the rounds now are “double extortion” or double data encryption tactics. Cybercriminals will threaten to release sensitive or personal data, attempt to compromise backups, as well as harass employees, and demand ransom directly from company senior executives. “In the past, a bank robber may have hit one or two banks in a week after many months of preparation. Yet, with a cyber-attack, you can target thousands of businesses at once, anywhere in the world, and extract more valuable data than before,” Global Head of Cyber at AGCS Scott Sayce said. Due to all of this, cyber insurance claims have significantly increased in the past few years, spiking after 2020, coinciding with the vulnerabilities uncovered by the global pandemic. On the other hand, the good news is that an increased focus by law enforcement on high-profile cyber threats like ransomware attacks, as well as organizations’ increasing cyber awareness have slightly decelerated these risks. As a result “ransomware claims are showing some tentative signs of stabilizing” Chief Underwriting Officer Corporate at AGCS Shanil Williams noted. Albeit, perpetrators will always look to “exploit new vulnerabilities and employ new tactics,” such is the nature of the cyber world, Williams said.
Supply Chain Attacks Are Rising
High-profile cyberattacks are displaying a “worrying trend” for the supply chain. Hackers are targeting technology or software supply chains, as well as physical critical infrastructure (CPS systems) and digital single points of failure, the report states. Prime examples of some unprecedented cyber incidents that touch on the above are the recent Log4j fiasco, the Kaseya incident, and the Colonial Pipeline ransomware attack. With regards to this, perhaps the most notable cyberattack of all time that still lingers in the air, the SolarWinds incident, occurred in 2020. The increasing digitalization of supply chains, growing reliance on digital infrastructure, remote work, and cloud vulnerabilities all add to the growing concerns as sophisticated cyberattacks appear on the horizon more frequently, Allianz wrote. The security and normal operation of the global supply chain is critical for the world economy. “For most organizations, the biggest fear is not being able to produce and deliver their products or services,” Property Industry Lead, Technology, Media and Telecoms at AGCS Philip Beblo remarked.
Changes in Legislation and Regulation Adds to Cyber Risk
Another reason cyber risks are the number one global threat this year is that “significant impacts expected from changes in legislation and regulation (the fifth top risk) in 2022 will be around big tech and sustainability,” the report says. In an evolving cyber risk landscape, insurance entities like AGCS are now assessing insurance submissions with specific criteria in mind to improve global cyber security resilience, such as “proactive technology controls, as well as regular backups, patching, training, business continuity arrangements and crisis response capabilities.” Investor and shareholder action around the world is increasingly focused on cyber resilience, ranking it as the number one priority as far as “ESG” (environmental social and governance) issues go, the report says. In the past, it was mostly tech companies that were scrutinized about cyber security resilience, but these days a broad range of sectors is subject to it, Global Head of Liability Risk Consulting/ESGE at AGCS Michael Bruch added. “The cyber market is shifting to a service-oriented offering that combines insurance policies with technology, risk engineering and response services,” Sayce added.
What This Means for the World
Cyber risks are the top concern, particularly for some of the world’s greatest economies that harbor Big Tech companies, such as the U.S and the EU. The EU has already rolled out its stringent, breakthrough GDPR that has been handing out eye-watering fines to organizations while seriously toughening up data protection, regulation, and overseas data transfers. The various National Cybersecurity Strategies in the EU and the European Council’s new cybersecurity directive are a great insight into what is being implemented. “Legislation never sleeps and despite many promises to reduce red tape, new rules and regulations proliferate. 2022 will be no exception, particularly in the areas of big-tech and sustainability” Allianz wrote. 2022 should be a revolutionary year that will birth a fairer, better-regulated, more sustainable data economy Chief Economist at Allianz Ludovic Subran says. In terms of the U.S., President Joe Biden is laying out his “digital agenda,” with the White House hard at work on data privacy, cybersecurity frameworks such as CISA’s “Shields Up“, and improvements to the all-important EU-U.S. trans-Atlantic data highway.
Cyber Hygiene is Paramount
Being proactive in an extremely risky cyber world means augmenting cyber hygiene to as high a level as possible. Less than 40% of organizations test their business continuity plans, the report says. Furthermore, for optimal cyber hygiene organizations must heed the following criteria:
Endpoint protection Multi-factor authentication Regular backups Patching Training Business continuity arrangements Scenario testing Crisis response capabilities
“Good cyber maturity and good cyber insurance go hand-in-hand. We buy insurance for our home, but this does not mean we leave the front door unlocked, and the same should be said for cyber security,” Sayce added.
Cybersecurity Terminology
To better understand some of the cyber security terminologies in this article, here are some brief descriptions of the key themes discussed above.
Ransomware
Ransomware is a high-profile form of cybercrime that cybercriminals leverage to extort targets via ransom fees, as well as cripple corporate networks, private networks, and devices. It typically resides as a form of Trojan virus in a computer system. Ransomware can encrypt all of the data on a system, after which access is given back to the victim at the whim of the perpetrator. Perpetrators usually ask for payment in cryptocurrency to unlock the hijacked data, which is difficult to trace. Ransomware is also offered as a service on the dark web.
Backups
Backups refer to storing an additional copy of the contents of a computer system in case of damage, loss, or corruption. Backups can be stored either online or offline, with the latter being much more secure. The practice of backing up data is critical for all organizations and can determine whether an organization survives following a cyber incident.
Supply chain
In terms of cybersecurity, securing the supply chain is key for the world economy. A supply chain is a network between companies, suppliers, products, and buyers. Cyber attacks can cripple supply chains, thereby causing the economy billions in losses, endangering lives in the process.
Data breach
A data breach is a general term for a cyber security incident where sensitive information is accessed, stolen, or used in an unauthorized manner by a malicious third party. There are several types of data breaches, including ransomware attacks, email phishing, SQL injections, and more.
Cyber resilience
Cyber resilience refers to an organization’s level of preparedness for cyber incidents. This includes whether an organization has adequate risk management measures in place, complies with regulations, and in general defines an organization’s ability to prepare, respond, and recover from a cyber incident.
