Many in the cybersecurity community saw 2022 as the “year of the data breach” and hoped for better times ahead, but as we move toward the end of 2023, the risk landscape has deteriorated with cybersecurity attacks trending upwards.
While the stakes are higher, cyber leaders however feel the effects of tightening budgets. The recently published EY 2023 Global cybersecurity leadership insights study finds that an inadequate cybersecurity budget is one of the major challenges facing organisations as they seek to manage cyber risk. Cyber leaders in Asia Pacific are more concerned about cybersecurity budgets than the rest of the world: 44% of Asia Pacific respondents feel inadequate cybersecurity budgets pose a greater challenge to their organisations’ approach to cybersecurity today, as compared to 36% of global respondents.
Despite these budgetary challenges, the insurance industry sees a multibillion-dollar coverage gap in the cyber insurance market. The EY 2023 Global Insurance Outlook examines insurers’ development of cyber insurance in response to the market’s rapidly evolving needs for coverage. As important as cyber insurance policies are, they are however no substitute for investing in cybersecurity risk management.
How can companies take a more informed and proactive cybersecurity approach? At the EY organisation, we advise the following:
Increase awareness of exposure to cyber risks
The pandemic has sharpened the world’s focus on economic, supply chain and national resilience — and cyber resilience should be no different. How to sustain business operations and survive in the face of a concerted cyber incident is a huge challenge for any organisation, which cannot be overlooked.
When advancing on their digital transformation journeys, organisations must embed cybersecurity at the outset, recognising their “attack surfaces” are expanding, and adopt a “secure by design” mindset – cybersecurity is becoming ever more a business differentiator in the market. At the same time, they cannot assume cyber risk is being handled by their service providers. They need to take a shared responsibility approach and hold these providers to the same security standards across the organisation.
Share risk management expertise
When we surveyed cybersecurity leaders in our EY 2023 Global cybersecurity leadership insights study, we identified organisations that achieved better cyber outcomes – with fewer cybersecurity incidents and faster time to detect and respond to incidents. These “secure creators” strengthen their cybersecurity by emphasising simplicity, holistic thinking, and integration of cybersecurity considerations across the organisation.
The sharing of such ingredients of success helps organisations to advance, supporting the development of a risk management strategy that is more effective and drives value. And when it comes to cyber insurance, we see more insurers working directly with larger clients to better understand their risks, the measures required to reduce that risk and the tailoring of policies and premiums.
Encourage investment in risk reduction
Despite the pressure on budgets — driven largely by economic headwinds — cybersecurity leaders are best served by demonstrating the “buy down” in cyber risk to their CFOs. Cyber risk can be quantified using several approaches that are well understood, not least of which is FAIR (Factor Analysis of Information Risk). FAIR quantifies risk by assessing the probable frequency of a cyberattack and the magnitude of the resulting loss. In this way, the cost benefit analysis of investing in cybersecurity becomes better understood. Speaking in language that resonates with the CFO and the board achieves the best budgetary outcomes for cyber risk reduction programs.
Facilitate robust responses to cyber incidents
How do companies respond to cyber incidents? They start by simulating a cyber incident to investigate the impacts on the business of a real-world attack, including understanding what happens if critical systems are taken out of service or key data is locked up through ransomware. Learnings from these invaluable exercises then need to be fed back into the incident response and recovery plans, as well as to help identify gaps in cyber defenses that then need to be addressed.
As with climate change, cyber risk is an issue too big for the insurance industry alone, especially because cybercrime is so highly lucrative. Collaboration across ecosystems will help insurers understand the extent of the risks, but also identify and promote leading practices across the cybersecurity lifecycle.
This article was written by Jeremy Pizzala, EY Asia Pacific Cybersecurity Consulting Leader. Pizzala is based in Hong Kong.
***
The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organisation or its member firms.
-
IFRS 17: Making your financial controls automation truly work for you
- September 26
Shifting towards a more automated and streamlined workstream can free up time for insurers to critically analyse results that inform future financial planning.
-
Flood resilience: Water, water everywhere…
- September 11
Floods are one of the most complex natural perils with highly localised impacts, making them challenging to insure and data is key to the effective design of an affordable product to protect the vulnerable.
-
Maritime energy transition: Data dialogue key to achieving decarbonisation goals
- August 3
Collaboration and shared learning amongst stakeholders will be vital to getting full value from the data captured as well as in achieving regulatory goals. The International Maritime Organisation’s (IMO) greenhouse gas (GHG) strategy is to reach net-zero emissions from international shipping by or around 2050, and there are various checkpoints to meet along the way. […]
-
Contentious losses: Evidence-led forensic investigations stand the test of time
- May 17
Even minor cracks in evidence capture will become exposed when it comes to recovery and repudiation. Forensic investigations form part and parcel of many insurance claims in the Asia-Pac region. Whether a loss is complex, costly, or if there are expected to be questions down the line around causation and liability, insurers and their loss […]
-
AXA XL | Low and no-cost cybersecurity actions for companies
Considering the increasing frequency of attacks, the evolving threat landscape, including the use of AI to launch more sophisticated attacks, companies today can’t afford to ignore the possibility of being targeted by cybercriminals.
-
BHSI | Managing non-Asian exposure in long-tail lines
While US-exposed business can look attractive to Asian carriers, managing the volatility around the long-term results and the ability to model those losses are crucial, say BHSI’s Marc Breuil and Marcus Portbury.
-
Sedgwick | To Handle CAT Claims Well, Multi-Step Preparation is Key
When it comes to risk, it’s not a matter of “if” it’s a matter of “when” an event will occur.
-
HSBC Asset Management | Is it time to relook at Asian currency bonds?
With diversification and performance high on investors’ agendas, it seems a good time for global portfolios to revive allocations in Asian local currency bonds – including Hong Kong dollar (HKD) bonds.
Jeremy Pizzala, EY
Cyber: Companies need proactive approach to cyber security in a deteriorating risk landscape
Jeremy Pizzala, EY