With nearly 75% of organizations experiencing at least one cyberattack and the average cost of a data breach exceeding $4 million in 2022, building resilience is now more important than ever. Moreover, as governments grapple with growing geopolitical tensions and heightened security concerns, there is increasing scrutiny on restricting the flow of data. Trends towards deglobalization and regionalization are driving a greater push for “digital sovereignty,” stifling global interoperability and increasing the complexity of cooperation in managing cyber intrusions.

Phishing and other hacking mechanisms are moving beyond emails to social media, phone calls, and other platforms, increasing employees’ susceptibility to social engineering from these multichannel threats. The continued rollout of IoT devices and other technologies also magnifies the attack surface. Meanwhile, the severity of threats is snowballing with the growing potential of AI-augmented hacking, technologies like VALLL-E that can be used to create sophisticated deepfakes, and state-sponsored attacks on critical infrastructure.

Although many businesses have effectively enacted internal cybersecurity protections, 2022 found that less than half have conducted risk assessments of their supply chain – a growing source of threats. As regulations on managing sensitive data and third-party vendors continually evolve, ensuring compliance will become increasingly complex.

To institute robust protections, companies should consider revising existing playbooks to respond to the evolving nature of cyber risk. Embedding security standards across various functions, implementing advances in tokenization and quantum cryptography, and investing in insurance can help build preparedness holistically and effectively. As such, while IT teams will continue to have a crucial role in the development and design of secure corporate networks, cybersecurity must expand to an organization-wide responsibility.

The first installment of the 2023 Marsh McLennan Cyber Handbook features perspectives from business leaders across Marsh, Guy Carpenter, Mercer, and Oliver Wyman, who help clients become more resilient in managing cyber risk. Their expert insights explore some of the most significant trends in cyber readiness, cyber response, and new cyber regulations.

Digital Risks on the horizon

The advent of the metaverse and other emerging technologies presents some familiar risks, such as those related to fraud and data privacy. However, there is limited data on physical injury risks arising from haptic wearables malfunctioning and the prolonged use of VR goggles. The current lack of regulatory clarity also leads to the prospect of evolving expectations about liabilities and risk mitigation mechanisms. To effectively anticipate and manage threats, businesses will need to conduct risk and skills assessments across their value chain—not just at a digital level, but across their supply chain as well.

Regulations to Drive Cyber Resilience

Efforts to establish operational resilience have often been haphazard and poorly coordinated, resulting in inadequate control environments or poor backup plans for critical activities. For many organizations, regulations such as the Digital Operational Resilience Act (DORA) will fundamentally change how resilience is thought about, requiring institutions to deconstruct and assess the complexity of their own IT systems. Additionally, the US Supreme Court’s Review of Section 230 could expand the limits on liabilities for social media and video platform companies. While such regulations are still evolving, the direction of travel from regulators is clear and requires a more proactive and preventative mindset across institutions.

Building Preparedness

Ransomware is projected to cost businesses $30 billion in damages in 2023 alone. As more key infrastructure and resources become digitalized, strategies for managing potentially catastrophic cyber risk will need to evolve. In tandem, the responsibility for cybersecurity must expand to a whole-organization approach – from corporate boards having more tech experience and skills to ensure proper oversight, to every employee being trained to maintain proper cyber hygiene. Such actions will also help organizations move the needle on the path to greater protections, increased insurability, and potentially lower premiums for looming cyber risks. Additionally, using a captive insurer or cell as part of a cyber risk finance strategy can help set a steady course no matter the commercial market conditions.