Technological risks such as cyber attacks and data fraud and theft are intensifying according to the Global Risks Perception Survey results published within the World Economic Forum’s Global Risks Report 2019.
Regardless, environmental risks dominate the high impact high likelihood quadrant of the risks landscape. And, the global risks landscape is also being influenced by geopolitical tensions and macroeconomic risks, both increasing, with trade wars and slowing growth being key drivers, respectively.
"Regardless of the Executive Opinion Survey results, it can feel like businesses are not paying enough attention to managing technological risks"
Therefore, while technological risks are moving up in the risks landscape, they are not yet dominant. However, as is the case for most risks, people tend to pay more attention and become more vocal when they are affected more directly.
One can,, suggest that, as we expect to see a greater number of cyber attacks and data fraud and theft, those risks will continue moving up the global risks landscape in terms of impact and likelihood. 2018 also saw continuing evidence that cyber-attacks pose risks to critical infrastructure.
Perhaps experience is the reason we see a differing view from business leaders expressed via the Executive Opinion Survey published in late 2018 within the World Economic Forum’s Regional Risks for Doing Business Report. Cyber attacks were rated as the number 1 risk to doing business in countries that make up over 50 percentof the world’s GDP.
While cyber-attacks were the number 1 risk in Europe, North America, and East Asia and the Pacific, data fraud and theft also made it into the top ten risks in all three regions.
Regardless of the Executive Opinion Survey results, it can feel like businesses are not paying enough attention to managing technological risks. That may also be true as the global risks landscape is complex and differing circumstances in various geographies may mean that other risks are the priority.
It is important not to make the mistake of thinking technological risks do not need to be managed. To the contrary, we should not forget that they are arguably the most global of all risks in that almost any person or business can be affected at any time.
What are the Key Considerations Regarding Technological Risks?
If we are to live in a digital world, people will expect companies to show strong cybersecurity and data stewardship, particularly as the risks intensify. Those expectations will vary by country, industry, and an individual’s circumstances.
For example, it is hard to imagine a furniture manufacturer having the same exposure to the risks of cyber-attacks and data fraud and theft as a bank. And any loss of personal data is also likely to be perceived quite differently by the person affected.
I have mentioned cyber-attacks and data fraud and theft many times, but if we approach the topic from an ESG (environmental, social and governance) perspective, one could argue that the ethical use of data and Artificial Intelligence (AI) is another critical factor to manage.
Companies are increasingly required to measure and report their sustainability and ethical impacts of their business. With or without the reporting requirements, the unethical use of AI may prove to be an existential threat to a business.
It is not hard to imagine the existential threat being realized in a scenario where a customer backlash occurs, and trust is forever lost, after the unethical use of data or AI by the company comes to light.
With all that in mind, the view of Zurich Insurance Group on cyber, data and privacy comprises three key areas:
• Cyber (attacks) risk mitigation: Apply a holistic, proactive, and preventive approach to cyber risks, from a strategic level down to an operational level. At Zurich, we use this approach for ourselves, to support our customers, and for wider society. This approach focuses on risk awareness, protection, prevention, and resilience (response and recovery).
• Responsible use of data and algorithm: Prioritizing the customers’ privacy and interests are paramount. For example, using the four-eyes principle for AI algorithms.
• Respect of privacy: Data protection obligations must be taken very seriously. Customers, employees, and others place a great deal of trust in a company when they share their data.
To mitigate the risks around those areas, I believe it is critical to be prepared. Assess and test your security proactively pre-breach. Formulate an incident response plan and test it regularly. Also, continuously monitor your systems, and periodically perform vulnerability scanning and patch updates. Lastly, user awareness testing is also extremely valuable.
In the event of a breach, it is crucial for companies, and increasingly individuals, to have access to breach resolution services that provide the support they need to rectify their situation. That can be anything from a breach consultation, to credit and identity restoration services.
Last but not least, it is essential to learn from breach events whether they are experienced by the company or individual directly, or the experiences of others, so that similar incidents can be avoided in the future.
Why? Our experience says that regardless of the risk faced, prevention remains more cost-effective than post-event remediation!