A new report from Zurich Insurance Group and the Atlantic Council indicates that we’re reaching the tipping point when the annual costs of cyber disruptions begin to outweigh the benefits of doing business in a connected world. Jason Healey, Senior Fellow with the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center on International Security, unpacks what that surprising finding means for business.

Why did you undertake the report?

We were driven by the question: How do we know if we’re starting to pay more in cyber security costs than we’re getting in benefits from being connected? As far as we know, the question has never really been asked before.

And what’s the biggest single finding of the report?

The startling finding is that on an annual basis, the developed world is spending more on cyber security in a given year than we are getting in annual benefits. It seems a bit counterintuitive, doesn’t it?

So should we just unhook from the Internet?

No, because annual cyber security costs tend to be operating expenses or one-offs. For example, if you’re a big company that just got hit by a hacker attack, you’re going to have to spend a bunch of money to recover. But the benefits you get from being connected—streamlined work processes, better connections to your customers, and the like—tend to compound over time in a way that costs don’t. So, in the report’s base case, cumulative global benefits outweigh the costs by nearly $160 trillion through 2030.

The benefits you get from being connected tend to compound over time in a way that costs don’t. So, in the report’s base case, cumulative global benefits outweigh the costs by nearly $160 trillion through 2030.”

But CEOs have to manage results quarter-to-quarter, year-to-year. So how should individual companies interpret the report?

Let’s talk about how they should not view it: They should not view it as a deterrent to investment in growth and innovation. If they do, they will miss out on the potential of cumulative benefits. And that is significant, as the difference between the worst-case scenario and best-case scenario in the report is more than $100 trillion in global GDP through 2030.

So what steps should businesses take to access that potential and minimize costs?

First, a lot of companies just don’t have the cyber security they need even for today’s threats—much less if it gets worse. The report recommends basic controls that should be adopted. Second, controls aren’t going to be enough against future threats. So we really think that investments that make a business more resilient to cyber events could go a long, long way. You’re not going to be able to keep all the threats out, so you have to be prepared when you get hit—whether it’s by hackers or a wide-scale Internet outage—to be able to bounce back quickly and limit the time of the outages.

Where does responsibility for understanding and managing these risks start?

We believe companies should govern from the board on down. To put it in the kind of finance terms that the board might be more familiar with: In the face of this long bet, basic cyber security and resilience are your hedge. You’ve got to think of this as a risky position that you’re engaged in—a position that could have serious implications for your company. So you really have to invest in covering your long bet.

This article is published in collaboration with Zurich Knowledge Hub. Publication does not imply endorsement of views by the World Economic Forum.

To keep up with the Agenda subscribe to our weekly newsletter.

Author: John Scott is a Chief Risk Officer of Global Corporate at Zurich.

Image: A hand is silhouetted in front of a computer screen in this picture illustration taken in Berlin. REUTERS/Pawel Kopczynski