Cyber may outstrip natural catastrophes in losses, according to panel at WEF Global Risks Report 2018 launch

According to estimates, the aggregate cost of cyber-attacks could dwarf the losses seen in 2017 for natural catastrophes – the biggest nat cat loss year on record.

Speaking at the launch of the World Economic Forum (WEF) Conference 2018, Marsh president of global risk and digital John Drzik compared the scale of cyber risk to known catastrophes; he outlined: “To compare the degrees of economic loss, there are estimates now that if a hacker took down a major cloud provider, the damages could be $50bn - $120bn, so something in the range of Sandy event to a Katrina event. The aggregate cost of cyber is now estimated by a number of sources at more than $1tn per year or economic loss - verses roughly $300bn experienced in 2017 from losses to natural catastrophes.”

Drzik urged both the private sector and governments to focus on mitigating the risk, saying: “Both business and government need to think about increasing investment in cyber risk management - being as this risk has become more visible. I think we are still under-resourced in the amount of effort being put into trying to mitigate this risk.”

In this year’s Global Risks Report, which was launched at the event, cyber featured prominently as a risk on the forefront of minds for those surveyed. As well as being the number one risk across the business leadership that responded to the executive service across advanced economies, cyber was also noted as the risk most likely to intensify and worsen in 2018 in the overall global risk perception survey.

”cyber is at or above the scale of natural catastrophes, yet the comparative infrastructure against it is much smaller in scale.” John Drzik

As well as cyber, geopolitical risk, climate change and public-private cooperation were touch one by the other panellists – WEF head of economic progress Margareta Drzeniek Hanouz, Zurich Insurance Group group chief risk officer Alison Martin, and WEF member of the managing board Richard Samans – but Drzik highlighted that many of these areas were heavily impacted by cyber.

He said: “Cyber risk is an area where some of the threads in the global risk environment come together.”

In 2017, there were a number of high-profile attacks, including the likes of WannaCry, and there was also a shift in geopolitical trends which could lead to more state-sponsored attacks alongside the financially motivated ones.

“With this increasing suite of attackers, you have cyber risk growing, and in turn the cyber exposure is growing within companies,” Drzik said.

Along with motivation, the ability to attack is also increasing, Drzik explained: “I think about the proliferation of interconnected devices. There’s currently today 8.4 billion of those out there, so already greater than the global population of 7.6 billion, and projected to grow to 20 billion in 2020. So that just widens the attack surface for companies to potential attacks. Use of artificial intelligence and other emerging technologies is also leading to greater cyber exposure for companies.”

Given the interconnected nature of cyber and its potential aggregate losses, Drzik stressed that he believed risk mitigation in this area was heavily under-resourced.

He said: “When you think about the comparative scale [of losses], cyber is at or above the scale of natural catastrophes, yet the comparative infrastructure against it is much smaller in scale. I think about the government agencies, as well as voluntary organisations, that focus on response to natural disasters, versus national cyber agencies – the cyber agencies are much less resourced. They have some capacity, but not enough to deal with what is a significantly growing risk.”

He added: “International protocols have yet to really emerge in dealing with cyber risk, and those are going to be needed as well.”