November 25, 2021
Why is the AXA Research Fund publishing a report on cyber resilience?
Cyberattacks against organisations and individuals have soared with the Covid-19 crisis and the wide use of digital tools, making cyber risk one of the top positions in the risks landscape.
The latest World Economic Forum Global Risks Report ranks cyber security failure 9th as the most likely risk and IT infrastructure breakdown the 10th most impactful one. This momentum is confirmed by the AXA Future Risk Report 2021, where cyber risk was selected as the 2nd most important issue for society.
Faced with the magnitude of this risk – the cost of cybercrime is estimated at $6 trillion in 2021 (1) – and the evolving aspect of the attacks, building up cyber resilience is of paramount importance. As an insurer, we want to provide in this publication insights from experts such as researchers, practitioners, and governments, about building stronger systems and cyber mitigation and prevention practices.
What is at stake for the insurance industry?
Cyber resilience requires an organization-wide strategy that efficiently responds to threats and identifies vulnerabilities. It also needs anticipation and a systematic and rigorous approach to be ready to face the unknown. Being resilient not only means avoiding incidents, but also being ready to recover from the worst-case scenario.
For the insurance industry, cyber risk is a challenge in multiple ways. Cyber event data is currently too scarce to appropriately price products, and cyber risk modelling is still at an immature stage. Cyber threats are constantly evolving with outsized impact and severe losses. Insuring cyber risks depends on our ability to model cyberattacks in a way that integrates the complex dependence effects of cyber events.
To develop further, the industry will have to overcome the limited access to underwriting and risk expertise. It will need to develop the maturity of key stakeholders, such as agents and brokers around cyber risk.
What are the key takeaways of this report?
While cyber risk is a growing issue, it is not all doom and gloom. In fact, there is a consensus saying that we need collective action, based on information sharing and co-operation, awareness building and the adoption of new techniques, towards making our cyber space safer and stronger in the face of attacks.
The second learning is that building cyber resilience for corporations must be done in a holistic and strategic manner based on three pillars: people, through training and awareness, new technologies such as artificial intelligence, and procedures and standards which enable to quickly anticipate, react, and recover from cyberattacks.
Moreover, data sharing and regulation are key components of cyber resilience. Indeed, certain states and international bodies are acknowledging that cyber space needs to be regulated with global binding frameworks. They are also calling for an ecosystem-wide collaboration on data sharing.
Since the uncertainty and complexity around cyber risk limits traditional forecasting and modelling tools strategic, Foresight can help better understand – and therefore anticipate - future cyber threats. The report findings will show us the way forward on managing cyber risk. With the Building Cyber Resilience Report, we join the discussion around the cyber resilience of our society and the insurance industry.
(1) Cybercrime To Cost The World $10.5 Trillion Annually By 2025, Cybercrime Magazine, November 2020