Cyber threats continue to be top of mind for businesses globally, with incidents such as information technology outages, ransomware attacks and data breaches ranking first among global business risks for 2023, for the second consecutive year, according to Allianz Global Corporate & Specialty’s annual risk barometer released last month. Its analysis shows that the frequency of ransomware attacks remains elevated, and the average cost of a data breach is at an all-time high of $4.4 million and expected to rise to more than $5 million this year. The war in Ukraine and wider geopolitical tensions have heightened the risk of a large-scale cyberattack by state-sponsored actors.

Meanwhile, at the World Economic Forum gathering of business and finance leaders in Davos, Switzerland, in January, experts predicted that 2023 will be a consequential year for cybersecurity. An expanded threat landscape and increasingly sophisticated cyberattacks were cited. For the first time, widespread cybercrime and cyber insecurity ranked among the most severe risks in the next 10 years in the WEF’s Global Risks Report. Cyberattacks on critical infrastructure also ranked among the most immediate crises with the greatest potential impact on a global scale.

The opening weeks of the year appear to have borne this out, with the United Kingdom’s postal service hit by a ransomware attack — suspected to have been caused by a hacker group with links to Russia — that disrupted its international export services. In the United States, thousands of flights were grounded after a computer outage at the Federal Aviation Administration, though late last month the FAA continued to say that it had so far found no evidence of a cyberattack or malicious intent.

Meanwhile, global geopolitical instability has helped to close the perception gap between business and cyber leaders on the importance of cyber risk management, with 91% believing that a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years, based on their responses to the WEF 2023 Global Cybersecurity Outlook report. Both business and cyber leaders have a clearer view of their organizations’ cyber capabilities and vulnerabilities, and cyber issues are more integrated into enterprise risk management and are receiving more board focus. 

But there is still more work to do. While cyber and business leaders and boards of directors are communicating more frequently on strategies to overcome cyber threats, they speak very different languages. Cybersecurity experts need to speak less technical jargon, while boards need to help them understand what assets and processes should be prioritized for protection, the WEF report said.

For risk managers and insurers, figuring out ways to mitigate and underwrite cyber risks continues to be challenging. In an interview on page 13, Jennifer Santiago, 2023 president of the Risk & Insurance Management Society Inc. and director, risk management and safety at Wakefern Food Corp., talks about how risk managers face an erosion of coverage, capacity and cost when placing cyber coverage for their organizations. Risk managers fear that fewer markets will be willing to write cyber and more exclusions will be introduced, what Ms. Santiago dubs “a Swiss cheese policy.” That’s why many risk managers believe creating a federal backstop to help deal with cyber risks — both large-scale cyber incidents and day-to-day cyber risks — is critical. While the devil is in the details on how such a program would be structured, momentum is growing inside the risk management community toward a solution that could ease some of the market pressures exacerbated by near-daily cyberattacks and be a positive step for policyholders. But to have any chance of passage soon in a bitterly divided Congress, insurers need to get fully on board, too.