Global Risks

Cyber risk is a growing challenge. So how can we prepare?

Business owners board up their restaurant in the French Quarter as Hurricane Nate approaches the U.S. Gulf Coast in New Orleans, Louisiana, U.S.  October 7, 2017. REUTERS/Jonathan Bachman - RC1765E2CC60

What can cyber-resilience learn from the response to natural disasters? Image: REUTERS/Jonathan Bachman

John P. Drzik
Chairman, Marsh & McLennan Insights
Our Impact
What's the World Economic Forum doing to accelerate action on Global Risks?
The Big Picture
Explore and monitor how Global Risks is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


A positive outlook for the global economy shouldn’t engender complacency. As described in the Global Risks Report 2018, the rapidly shifting global risks landscape presents a challenging operating and investment environment for businesses.

The pace of change has been increasing, characterized by rapid technological advances, seismic shifts in the geopolitical landscape and growing sources of social instability. The broad range of potential shocks that could emerge in this context demands a strategy that puts a premium on resilience.

The average time companies spend in the S&P 500 index has already decreased from approximately 60 years in the 1950s to 12 years today. The velocity of change in the current environment, creating both new opportunities and new threats, will likely drive down this figure even further.

The growing challenge of cyber

One place where many of these issues come together is cyber-risk. Cyberattacks are perceived as the global risk of highest concern to business leaders in advanced economies. Cyber is also viewed by the wider risk community as the risk most likely to intensify in 2018, according to the risk perception survey that underpins the Global Risks Report.

Exposure to risks from cyber is growing as firms become more dependent on technology. The explosive growth of interconnected devices expands the size of the surface open to cyberattack for organizations — and the number of interconnected devices in the world is expected to jump from 8.4 billion today to 20 billion in 2020. Increased use of artificial intelligence in business processes also heightens exposure to cyber-risks.

At the same time, geopolitical friction is contributing to a surge in the scale and sophistication of cyberattacks, particularly from well-resourced efforts with state backing. Firms, large ones in particular, need to anticipate attacker objectives that range from theft and business interruption to extortion, economic espionage, reputational damage and the infiltration of critical infrastructure and services. This highly diverse and very active set of adversaries makes cyber a very challenging risk to manage.

An under-resourced risk

Awareness of this challenge is growing and investment in cyber-risk management is increasing. However, cyber is still under-resourced in comparison to the potential scale of the threat, a view that’s even more compelling when considered in the context of a more familiar issue — natural catastrophes.

Analysis suggests that the takedown of a single cloud provider could cause $50 billion to $120 billion of economic damage — a loss somewhere between Hurricane Sandy and Hurricane Katrina. And while it’s not exactly apples to apples, the annual economic cost of cybercrime is now estimated at north of $1 trillion, a multiple of 2017’s record-year aggregate cost of approximately $300 billion from natural disasters.

Although cyber-risk management is improving, business and governments need to invest far more in resilience efforts to prevent the same “protection gap” between economic and insured losses that we see for natural catastrophes.

The supportive infrastructure to manage and mitigate cyber-risk is not nearly at the same scale as the one in place for natural catastrophes. National cyber agencies, although expanding, don’t have the same capacity as the public and voluntary sector agencies ready to respond to natural disasters — such as FEMA in the US. Additionally, international protocols for sharing intelligence and mitigating impact, curbing malicious endeavours and forestalling escalation and retaliation are only starting to emerge — and are only endorsed by few countries at the moment, with no sanctions for non-compliance.

Businesses also need to focus on their resilience to cyber events and generally need to rebalance their initiatives from prevention to response. While companies in at risk areas often have rigorously developed response plans for extreme weather events, this is rarely the case for cyberattacks. Indeed, research suggests that only one third of companies have prepared an incident response plan for a major cyberattack.

Have you read?
New imperatives for risk management

One clear takeaway from this year’s Global Risks Report is that there’s a wide array of potential shocks that could emerge at this time of rapid technological, political and societal change. With firms more leveraged than they were a few years ago — the debt-to-equity ratio has nearly doubled since 2010 for the median S&P 1500 company — their stability is even more vulnerable to these potential shocks and surprises.

Innovation and growth need to be reconciled with risk and stability. More than ever, business leaders need to chart a course for their companies that has a bold strategic ambition to capture emerging opportunities and rigorous resilience planning that matches up against the complex set of risks in the current global landscape.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Related topics:
Global RisksCybersecurity
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

How early warning systems and parametric insurance can build climate resilience in Africa

Ange Chitate

July 10, 2024

About Us



Partners & Members

  • Sign in
  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum