Cyber security has long been seen as an IT issue but today’s booming digital economy means this is no longer the case. Whether it’s the rise of home working, the acceleration of digitalization, or the far-reaching effects of events such as the ransomware attack on the Colonial Pipeline in the US, the potential and actual vulnerabilities exposed by cyber incidents have become all too apparent, ensuring a far broader demographic is increasingly concerned with cyber security’s social impact, including company management, global investors and stakeholders with potential exposure to customers’ private information.
Indeed, cyber security resilience is now regarded as the major ESG risk topic for many companies, according to the majority of respondents in the Allianz Risk Barometer 2022 (58%) (see Cyber Risk & Ransomware Trends).
Which ESG risk trends are of most concern to your company?
Figures represent the percentage of answers of all participants who responded (2,650). Figures do not add up to 100% as up to three risks could be selected.
This is driven by factors suchas the growth and severity of cyber-attacks, and the introduction, and increase, of data security regulations to enhance the protection of personal information around the world. Given companies can be fined and/or suffer reputational damage if they do not adequately protect their information/networks, there is growing acknowledgment of the need to build resilience and plan for future outages or face the consequences from regulators, investors and other stakeholders.
The potential and actual vulnerabilities exposed by cyber incidents have become all too apparent, ensuring a far broader demographic is increasingly concerned with cyber security’s social impact.
In the past, it was mainly technology companies that were assessed on cyber security resilience, but these days, businesses across a range of sectors are subject to such scrutiny.
ESG risk-analysis frameworks of data providers
Increasingly, cyber security considerations are incorporated into the ESG risk-analysis frameworks of data providers, who look into companies’ data protection and information security practices to evaluate their preparedness for cyber crime while investors typically examine data protection and information security policies to assess a firm’s cyber security risks (see How Insurers Can Embed ESG into Finance?).
Making sure a company’s cyber security processes and policies are understood at the board level and that cyber risk monitoring processes are in place is crucial. One of the main complaints from the investment community has been around transparency – it is hard to understand a company’s cyber risks and for various reasons companies have been slightly hesitant in the past to provide enough transparency. But the ones that do certainly see the benefit.
Considering cyber security as an ESG metric is still a relatively new concept but continued and expanded interest in this area is to be anticipated.
Companies that don’t recognize these changes and don’t integrate their ESG and cyber security strategies may discover that they have a lot more to deal with than just a cyber insurance claim in future (see Cybersecurity and the Cyber Insurance Market).
Shortage of cyber security pros
A shortage of cyber security professionals may be hindering efforts to improve cyber security, especially outside the technology sector.
Demand for cyber security experts is growing at a time of constrained labor supply in the US and Europe.
More and more companies are looking to employ cyber security specialists, but supply is not keeping up with demand.
According to Cybersecurity Ventures, the number of unfilled cybersecurity jobs worldwide grew 350% between 2013 and 2021 to 3.5 million – enough to fill 50 large football stadiums (see Cybersecurity Insurance Market Size Forcast).
Board awareness of cyber has accelerated security investment in recent years, but many companies struggle to get the IT professionals required to implement changes at the required pace and scale.
Just 2-3 years ago there was a lack of awareness of cyber among top management, but that has changed dramatically with large supply chain cyber-attacks, and more recently with the changing threat landscape from the conflict in Ukraine.
As a result, the C-Suite are more engaged with cyber risk and have stepped up investment.
However, the problem is now one of talent. There is a global shortageof cyber security professionals, and many companies are experiencing problems hiring, which has affected the ability of some companies to make improvements to cyber security.
AUTHORS: Jens Krickhahn – Practice Leader Cyber Insurance, Central and Eastern Europe at AGCS, Michael Daum – Global Head of Cyber Claims at AGCS