The $445 Billion cyber risk gap

The Internet of Everything will drive growth - and create new globally interconnected risk issues for businesses worldwide (yours included)

$445 billion.

That’s one middle-of-the-road estimate of how much cybercrime costs the global economy each year—more than the GDP of Singapore or Austria. If cybercrime was a nation, it would represent the world’s 27th largest GDP.

But it’s what lies beneath these numbers that should be keeping business leaders awake at night in the hyper-connected age of the Internet of Everything. It’s hard to assess the broader impact of cybercrime because it is so highly interconnected with other global risk factors, and because it is defined and reported differently by every country. Many cyber incidents go unreported because they touch on national interests or the reputations of corporations. 

These variations in standards and the difficulty in putting a true cost to cybercrime make it difficult for policy-makers to develop a suitable response. Whether global cyber governance can ever be effective enough to help reduce these threats remains an open question; the potentially devastating impacts of a failure to do so is not. 

Precedents for success

Catherine Mulligan, a Senior Vice President at Zurich Insurance Group (Zurich) who specializes in underwriting errors and omissions risks, points to a number of global networks, such as the World Health Organization (WHO), that have been created to respond to risks that reverberate across the continents. Such organizations, she says, might serve as useful templates for a global institution governing cyber issues. Mulligan has also seen signs of enhanced public-private cooperation, another key element to improved cybersecurity. 

“The issue is on the radar,” Mulligan says. “The level of attention from governments has increased in the past two years. And the 2015 World Economic Forum Global Risk Report talked about the importance of public-private cooperation. It’s encouraging that we’ve seen multiple sectors bring their expertise to the conversation.”

Zurich, for example, has participated in working groups and roundtables with U.S. cabinet departments and the U.S. Chamber of Commerce. Mulligan herself recently spoke before a U.S. Senate Commerce Committee hearing regarding the evolving cyber-insurance marketplace. At the international level, there is movement, too. One such step occurred in December 2014, at the inaugural EU-US Cyber Dialogue in Brussels, where representatives voiced their full support for multi-stakeholder governance structures.  

Only time will tell whether the global cyber-governance gap can be effectively narrowed, but in the meantime, Mulligan emphasizes that private companies must shift their thinking from protection to resilience.

“You can’t just defend—technology is increasingly complex, and cybercriminals are increasingly creative,” she says. “Being able to detect threats and then respond efficiently goes a long way to mitigating the costs and the downtime.”

Such efficiency requires company-wide acknowledgement of the seriousness of cyber risks. That implies C-suite and board level involvement in managing them and a culture of awareness across the organization. All stakeholders need to be at the table, with risk managers, human resources and general counsel sitting shoulder-to-shoulder with IT. Resilience, Mulligan says, starts with incident response and business-continuity planning. But creating a plan is just one of many steps.