Rising risks: how business is confronting cyber and climate threats

Less than twenty years after software security went mainstream, in the wake of Microsoft’s Windows 98 release, cyber attacks now represent the biggest risk of doing business for many countries, according to the World Economic Forum’s 2017 Executive Opinion Survey (EOS).

The cyber threat stands out as the only new entry in the global top ten risks for business over the next decade (up to eighth from 12th) and as a leading risk in rich countries. Business executives in Germany, Japan, Canada, Switzerland and the United Arab Emirates are more concerned by cyber than any other risk – and their perceptions are understandable. Already, an estimated 15 to 20 percent of the value created by the internet is lost to cyber crime. In countries where perceptions of cyber risk fell against last year – executives in the UK and U.S. ranked cyber second and third respectively after ranking it first a year ago – the change likely reflects a perceived increase from other threats as opposed to any easing of the cyber risk. The incoming co-director of enforcement at the U.S. Security and Exchange Commission said in June that cyber risks now pose “the greatest threat to markets”.

Cyber security: Preparing for Attack Should be Business as Usual

Businesses are increasingly treating cyber security as a core boardroom issue, rather than an IT one – and rightly so. John Scott, Chief Risk Officer for Commercial Insurance, Zurich Insurance Group, said: “With cyber risk, it’s not if or when you get attacked, it’s how big the consequences will end up being.”

The WannaCry ransomware infected 230,000 computers in 48 hours yet it could have been far worse without what security experts view as amateur flaws in its design. Management consultancies are encouraging firms to view cyber security as a way to generate business value.

Lori Bailey, Zurich’s Global Head of Cyber Risk, Commercial Insurance, said no company could consider itself immune but those with better cyber security could detect and respond to threats sooner. “Potentially, there’s a competitive advantage as the more you invest in cyber security, the more resilient you can become,” she said. Attacks such as WannaCry should act as “wake-up calls” for organizations to review their defenses.  

One way for major companies to protect themselves is through ‘bug bounties’ – regularly paying hackers to expose and fix vulnerabilities – and by being vigilant about annual independent cyber reviews. Response testing should also be business as usual - as normal as fire drills. Cyber stress tests can help businesses identify weak points in business continuity and incident response plans. They present a fictional worst-case scenario and observe how a business responds. The idea is to determine the critical systems, people and locations a business needs in order to continue operations, as well as how best to protect and recover them. Cyber resilience should be integrated into a company’s strategy, budget and risk management, with an accountable board member to oversee it.

Businesses have begun learning to take a holistic approach to cyber security, according to Lori Bailey. “Historically, companies have looked mainly at technology and network security,” she said. “They should continue to focus on that but also on the human element with education going all the way up to the C-suite and board of directors. When we are all moving so quickly, sophisticated hackers just need to get you to click one button.”

A new climate of transparency?

Increasing concerns around cyber attacks are in contrast with perceptions of risk related to environmental issues; neither extreme weather events nor failure to adapt to climate change were among the leading risks in early findings from the EOS (to find out more please click here). The new data suggests many businesses still see the impact of climate change as something that will play out over more than 10 years. Business executives “should start building resilience” to emerging risks, said Dr Scott. “Looking at the survey results, we can say that in the medium-term, business leaders, while focusing on social and economic risks, clearly underestimate the potential impact of environmental and technological ones,” he added.

Failing to tackle climate change could cost the global economy USD 12 trillion – around 10 percent of worldwide GDP – by 2050, according to the UN Development Programme. The figure relates to a predicted underperformance in economic growth with unabated emissions as opposed to successful efforts to limit global warming to 1.5C. Yet failures of climate change adaptation and extreme weather are not prominent in the survey results. Among the world’s top ten economies, only Canada views them among the top five risks. Failures in climate adaptation rank only 25th in the U.S.

Dr Scott attributes the difference between the North American neighbors to political and geographic differences. “The U.S. and Canadian governments have very different views on climate change,” he said. “Canada, due to its geographic location, with access to abundant freshwater and expanding areas of agriculture, is a country which arguably could benefit from climate change over time, whereas the U.S., with an energy and carbon intensive economy with large areas of water stress in the West and South-West, has decided to pull out of the Paris Climate Agreement.”

Many American businesses were dismayed by the U.S. withdrawal from the agreement, which set a target of keeping the global temperature rise to “well below 2C” and if possible to 1.5C. Companies also know that they will increasingly have to report publicly on climate change’s impacts. “The challenge is to identify the business rationale for mitigation and adaptation actions over one, three or five years when the return on investment is long-term,” said Dr Scott. “Despite the U.S. administration’s intention to withdraw from the Paris Agreement, a coalition of U.S. States and cities – “the United States Climate Alliance” which includes California and New York State – have pledged to cut emissions by 26% from 2005 levels, showing the determination to meet the country’s commitments to reduce greenhouse gas emissions.”

The Task Force on Climate-related Financial Disclosures (TCFD) is encouraging companies to voluntarily and transparently disclose climate-related risk information to investors, lenders and insurers. The TCFD was established by the Financial Stability Board, a G20 body, and hopes its recommendations will lead to capital being allocated more efficiently in the global economy. Reporting its key recommendations in June, the Task Force stated: “Many organizations incorrectly perceive the implications of climate change to be long term and, therefore, not necessarily relevant to decisions made today.” But in the words of Michael Bloomberg, chair of the TCFD, “if you can’t measure it, you can’t manage it.”

Interconnections that exacerbate risk

Business threats associated with both cyber and climate can act as risk multipliers, reinforcing the need for companies to become more resilient to both. According to a Business Continuity Institute survey, more than 55 percent of supply chain disruptions were related to unplanned IT or telecom outages.
Hackers have disrupted Ukraine’s power grid, adverse weather in Spain has led to vegetable shortages in the UK and floods in Thailand caused a lengthy spike in the price of hard drives. Businesses need to assess potential weak points in their supply chains and proactively consider alternative suppliers.

Climate volatility highlights the need to improve flood resilience but also jeopardizes water quality and supply reliability. The latter is a serious concern for many businesses and can be a factor in high population cities, as well as arid areas. Some risk interconnections may even exacerbate societal and geopolitical threats. Water scarcity can raise the risk of large-scale migration and conflict. 

Interstate conflict rose one place to be ranked as the ninth biggest global risk in this year’s EOS, while failure of national governance moved up to third. Dr Scott said: ”These risks interconnect in ways that allow for organized crime and terrorists to exploit the lack of governance in failed states and facilitate their ability to prosecute cyber attacks for political and criminal ends.”

Investing in resilience

Businesses, like governments, face public scrutiny for the choices they make in adjusting to and mitigating global risks. Cyber and climate-related risks to enterprise may both have been underestimated until now and will attract growing focus in the years ahead. Customers and shareholders are both increasingly aware of these threats and their potential impact on supply chains and business continuity. Business leaders must dedicate greater resources to developing resilience in these areas if they want to protect their profitability.

Key takeaways:

• Cyber attacks are perceived as one of the top risks in rich countries. Every company must now expect to be attacked and should take a holistic risk management approach with an accountable board member to oversee cyber security.
• While climate-related risks to business are seen as long-term, moves to encourage transparency over such risks are gathering pace and companies that embrace this trend can help ensure more efficient allocation of capital in the global economy.
• Cyber and climate threats act as risk multipliers through interconnections with other global risks. This reinforces the need for companies to better understand global risk interconnectivity and the impact on their business, as well as how to develop resilience by stress testing for different scenarios.