With generative AI dominating the conversation at the World Economic Forum’s annual meeting in Davos this year – a massive 32 sessions in total – it’s easy to overlook another topic that was the focus of WEF’s 2024 Global Cybersecurity Outlook: Cyber Resilience.
The term has taken on a new importance in 2024 as enterprise companies have come to recognize the significant financial cost of cyber incidents and look to focus on reducing interruptions to their business. This alignment of cyber and business drove WEF’s 2024 report as they surveyed over 200 cyber risk leaders to understand where security trends are shifting in the year ahead. These are the top three trends that stand out.
1. Cyber Resilience is Critical to Executive Buy-in
As we’ve written about previously, there is a clear link between an organization’s level of Cyber Resilience and engagement from executive leadership. Of the cyber risk experts surveyed, “93% of respondents that consider their organizations to be leaders and innovators in Cyber Resilience trust their CEO to speak externally about their cyber risk.” This seems rather strange when you consider the technical nature of cybersecurity and the more traditional view from executives that this issue is not a significant focus to them. In fact, a 2023 Accenture report found that “60% of CEOs said their organizations don’t incorporate cybersecurity into business strategies, services or products from the outset, and more than four in 10 (44%) of the CEOs believe that cybersecurity requires episodic intervention rather than ongoing attention.”
The difference in a CEO’s focus lies in the difference between cybersecurity and Cyber Resilience. Where cybersecurity is a tactical focus on controls and technologies, Cyber Resilience takes a business-focused approach by working to understand what risks are critical to invest against and what risks must be accepted or transferred through insurance. This framing of the cyber risk discussion on business terms provides an opening for non-technical executives to not only discuss the topic but also weigh in with strategic guidance and ownership. It is also telling that WEF’s report notes “of organizations that are not cyber resilient, only 23% trust their CEO’s ability to speak about their cyber risk.” This marks the difference in executive focus between an organization solely focused on technical security, rather than how to build a more resilient business.
2. Third-Party Risk Must Become a Primary Focus of Resilient Organizations
Our supply chain ecosystem is becoming more and more of a systemic threat to Cyber Resilience. Last year, Resilience reported on the massive impact the MOVEit breaches had on its 1H’23 claims figures. The series of vendor-driven breaches accounted for the significant majority of incidents and overtook issues such as phishing, account takeover, and software vulnerabilities as the leading cause of losses for clients.
A main driver for the cause of vendor breaches is visibility into the cyber risk that is being accepted by working with a specific vendor. In the case of the MOVEit breaches, Resilience’s security team was actually the first to notify some of the impacted clients that their data had been compromised by the threat actor group CL0P. This was done by monitoring the criminal group’s public leak and data extortion sites and cross-referencing known client infrastructure.
WEF’s 2024 report also focused on the increasing challenge of reducing risk from third-party vendors, noting that “41% of the organizations that suffered a material incident in the past 12 months say it was caused by a third party.” Their findings mirror the concern of a lack of vendor visibility, stating, “54% of organizations [surveyed] have an insufficient understanding of cyber vulnerabilities in their supply chain,” and “even 64% of executives who believe that their organization’s Cyber Resilience meets its minimum requirements to operate say they still have an inadequate understanding of their supply-chain cyber vulnerabilities.” This lack of visibility into a supplier’s risk must become a primary area of focus for companies working to better assess, measure, and manage their cyber risk.
3. The Much-Anticipated Role of AI in Cyber Risk Management
Finally, no survey on technology these days can get away without mentioning generative AI, and WEF’s report makes a strong case that “emerging technologies [such as generative AI] will exacerbate long-standing challenges related to Cyber Resilience.” Resilience’s CISO, Justin Shattuck, has written about the potential for tools like ChatGPT to serve as a new “interface” for security leaders. In February of last year, he told Axios, “A lot of what we’re constantly doing is sifting through noise. And I think using machine learning allows us to get through that noise quicker. And then also notice patterns that we humans aren’t typically going to notice.”
However, respondents to WEF’s 2024 survey were less optimistic, were less optimistic, with 55.9% of respondents saying they believe generative AI would benefit attackers and only 8.9% saying the defenders would be the primary beneficiaries. Specifically, 46% of respondents were primarily concerned with generative AI’s ability to enhance “adversarial capabilities like phishing, malware, and deepfakes.” But concern also extended to the security of generative AI itself, with 20% being concerned about inadvertent data exposure and a cumulative 16% concerned with the technical security and supply chain security of large language models. In response to the increased risks of this new technology, an increase in respondents (60% in 2024 vs 39.2% in 2022) felt some type of cybersecurity regulation would be beneficial to reducing cybersecurity risks to businesses.
Building Global Cyber Resilience: A New Way of Thinking
Last year, Resilience’s CEO, Vishaal “V8” Hariprasad, spoke at Davos about the business impacts of threats from cybercrime. While awareness of cyber risk is reaching executive levels, to solve these structural problems and be ready to take advantage of new trends in technology, companies need to take the next step and think about how they prioritize their cyber investments. Cyber Resilience forces organizations to consider what risks they will buy down with a strong security program, what financial risk they can transfer away through insurance, and what risks they just have to accept. Accepting risk is not a common security “best practice,” but knowing the risk you accept is significantly better than the alternative of pretending you are secure against everything.
Companies need to think about their cyber risk comprehensively with coordination across their risk management, cybersecurity, and financial silos. These teams need to have visibility into what could constitute a material risk, with coverage that helps transfer financial risk away from the company’s coffers and ongoing analysis that can help senior leaders make informed business decisions.
While work from partners like the World Economic Forum goes a long way to bringing attention to this subject, more should be done by those in the cyber insurance industry with the data to help inform these decisions and an economic incentive to build Cyber Resilience in their clients. If cyber insurance can transform more into a risk management solution, it has the potential to act as a driver for incentivizing companies to be safer and as a critical element in building a more secure cyber ecosystem.