Jeremy Pizzala, EY

Cyber: Companies need proactive approach to cyber security in a deteriorating risk landscape

Jeremy Pizzala, EY

October 27 2023

Many in the cybersecurity community saw 2022 as the “year of the data breach” and hoped for better times ahead, but as we move toward the end of 2023, the risk landscape has deteriorated with cybersecurity attacks trending upwards.

While the stakes are higher, cyber leaders however feel the effects of tightening budgets. The recently published EY 2023 Global cybersecurity leadership insights study finds that an inadequate cybersecurity budget is one of the major challenges facing organisations as they seek to manage cyber risk. Cyber leaders in Asia Pacific are more concerned about cybersecurity budgets than the rest of the world: 44% of Asia Pacific respondents feel inadequate cybersecurity budgets pose a greater challenge to their organisations’ approach to cybersecurity today, as compared to 36% of global respondents.

Despite these budgetary challenges, the insurance industry sees a multibillion-dollar coverage gap in the cyber insurance market. The EY 2023 Global Insurance Outlook examines insurers’ development of cyber insurance in response to the market’s rapidly evolving needs for coverage. As important as cyber insurance policies are, they are however no substitute for investing in cybersecurity risk management.

How can companies take a more informed and proactive cybersecurity approach? At the EY organisation, we advise the following:

Increase awareness of exposure to cyber risks
The pandemic has sharpened the world’s focus on economic, supply chain and national resilience — and cyber resilience should be no different. How to sustain business operations and survive in the face of a concerted cyber incident is a huge challenge for any organisation, which cannot be overlooked.

When advancing on their digital transformation journeys, organisations must embed cybersecurity at the outset, recognising their “attack surfaces” are expanding, and adopt a “secure by design” mindset – cybersecurity is becoming ever more a business differentiator in the market. At the same time, they cannot assume cyber risk is being handled by their service providers. They need to take a shared responsibility approach and hold these providers to the same security standards across the organisation.

Share risk management expertise
When we surveyed cybersecurity leaders in our EY 2023 Global cybersecurity leadership insights study, we identified organisations that achieved better cyber outcomes – with fewer cybersecurity incidents and faster time to detect and respond to incidents. These “secure creators” strengthen their cybersecurity by emphasising simplicity, holistic thinking, and integration of cybersecurity considerations across the organisation.

The sharing of such ingredients of success helps organisations to advance, supporting the development of a risk management strategy that is more effective and drives value. And when it comes to cyber insurance, we see more insurers working directly with larger clients to better understand their risks, the measures required to reduce that risk and the tailoring of policies and premiums.

Encourage investment in risk reduction
Despite the pressure on budgets — driven largely by economic headwinds — cybersecurity leaders are best served by demonstrating the “buy down” in cyber risk to their CFOs. Cyber risk can be quantified using several approaches that are well understood, not least of which is FAIR (Factor Analysis of Information Risk). FAIR quantifies risk by assessing the probable frequency of a cyberattack and the magnitude of the resulting loss. In this way, the cost benefit analysis of investing in cybersecurity becomes better understood. Speaking in language that resonates with the CFO and the board achieves the best budgetary outcomes for cyber risk reduction programs.

Facilitate robust responses to cyber incidents
How do companies respond to cyber incidents? They start by simulating a cyber incident to investigate the impacts on the business of a real-world attack, including understanding what happens if critical systems are taken out of service or key data is locked up through ransomware. Learnings from these invaluable exercises then need to be fed back into the incident response and recovery plans, as well as to help identify gaps in cyber defenses that then need to be addressed.

As with climate change, cyber risk is an issue too big for the insurance industry alone, especially because cybercrime is so highly lucrative. Collaboration across ecosystems will help insurers understand the extent of the risks, but also identify and promote leading practices across the cybersecurity lifecycle.

This article was written by Jeremy Pizzala, EY Asia Pacific Cybersecurity Consulting Leader. Pizzala is based in Hong Kong. 

***

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organisation or its member firms.

MORE FROM: Comment
Partner Content

  • FM Global | Resilience: No longer a choice

    As climate disclosure becomes mandatory and new risks emerge from natural hazards, understanding the tools that are available to build resilience is more important than ever.

Join the mailing list Designed to help you stay ahead, our daily newsletter provides a round-up of the latest news and insights, delivered straight to your inbox.
Print Edition
Subscribe to receive our quarterly print magazine.