Cyber Incidents are the Biggest Business Risk of 2022 – So What Now?

After a year of unprecedented cyber-threat activity, the world’s risk managers are in agreement. The number one business risk for 2022 is “cyber incidents.” This is only the third time in the 11-year history of the Allianz Risk Barometer that “business interruption” has not come in at the top. Yet the two are closely related. The question is how can organizations mitigate these risks and drive business success through 2022 and beyond?

Cyber incidents threaten not only to disrupt business operations but also cause significant financial and reputational damage. A data-centric security approach will help to minimize a large portion of this risk by putting sensitive information out of the reach of attackers. It could also open the door to reduced insurance premiums and broader coverage.

When business is interrupted

The barometer is compiled from interviews with 2,650 risk management experts from 89 countries. It revealed that 44% of respondents chose cyber incidents as their top risk for 2022, up from 40% last year when the risk was ranked third behind business interruption and the COVID-19 pandemic. Yet the truth is that all three are related.

Sponsorships Available

Sponsorships Available

Sponsorships Available

The pandemic has spurred massive investments in digital transformation which, without adequate enhancements in security posture, have left organizations’ cyber-attack surfaces dangerously exposed. Software vulnerabilities, misconfigured systems such as cloud databases, and supply chain threats all loom large, as do more traditional user-centric risks such as phishing. Many of these have been made more acute by the new trend for mass remote working. The resulting security breaches can directly interrupt business operations, sometimes halting them altogether.

According to the Allianz report, ransomware (57%) and data breaches (57%) were ranked as the top two concerns for 2022. In fact, most ransomware attacks today also contain a data breach element, known as “double extortion,” in which the attackers not only prevent you from accessing your files, they also threaten to leak any sensitive data they may have gained access to. Both can also result in significant financial and reputational damage including:

• Legal costs (especially if class action suits follow data exposure)
• IT overtime
• Third-party forensics and investigation
• Lost sales
• Productivity losses
• Declining share price
• Customer churn and brand damage

Hedging risk through insurance

This is particularly bad news for organizations that process and store large amounts of data. So what can be done? Cyber-insurance is a popular option. But having paid-out significant sums as ransomware attacks ramped up during 2020 and 2021, many providers are being more selective about whom they offer policies to. And coverage is sometimes reduced, or else, premiums are subject to massive price increases.

As described in the Allianz report, pre-contract assessments increasingly look for elements of security best practice such as regular backups, patching, training and multi-factor authentication. If they’re not present, the customer may be saddled with reduced coverage and/or higher premiums. To these best practices we can add data-centric security.

Best practice cyber-hygiene

Data-centric security means applying technologies such as encryption and tokenization to all sensitive data, wherever it is across the distributed IT environment. By doing so, organizations effectively render it useless to any threat actor. That means, in the likely event they manage to bypass some security controls and access data stores—whether as part of a data heist or a ransomware attack—the impact will be minimal.

With this peace of mind, organizations can rest easy that business interruption and risk is minimized. They’ll be able to accelerate compliance with PCI DSS, GDPR, HIPAA and other important regulatory frameworks. And they could benefit from more insurance coverage at a lower premium. There are of course other risks to consider under the umbrella of “cyber incidents.” But with data-centric security, one of the main ones is no longer so intimidating.