Cyber resilience is critical for organizations' survival. Thoughtful reporting can help build it.

Jul 7, 2020

Diego Araujo Schulz, investor, works at his home during the spread of the coronavirus disease (COVID-19), in Sao Caetano do Sul, Sao Paulo state, Brazil, May 9, 2020. Picture taken May 9, 2020. REUTERS/Rahel Patrasso - RC2RRG9Q173G

In an era of strategic risk, thoughtful cyber-resilience reporting is important to creating overall cyber resilience. Image: REUTERS/Rahel Patrasso

Maya Bundt

Director, Bâloise-Holding

Our Impact

What's the World Economic Forum doing to accelerate action on Cybersecurity?

The Big Picture

Explore and monitor how Cybersecurity is affecting economies, industries and global issues

A hand holding a looking glass by a lake

Crowdsource Innovation

Get involved with our crowdsourced digital platform to deliver impact at scale

Stay up to date:

Cybersecurity

The COVID-19 pandemic has highlighted the importance of cyber resilience to organizations' stability, productivity and survival.
Cyber-resilience reporting can increase transparency, enhance reputations and foster an organizational culture to combat cyber risk.
Organizations should develop thoughtful reporting before less effective and more onerous standards are imposed on them.

Almost overnight, COVID-19 has changed the way we work, conduct business and interact with one another, personally and professionally.

With so many people suddenly and unexpectedly working from home and organizations moving to digital business models, cyber resilience has become critical to stability and productivity.

This situation is exacerbated by bad actors taking full advantage of forced digitalization. Attackers are assaulting their targets at dramatically increased rates with phishing, ransomware, fraudulent offers and harassment, including new iterations like “Zoom-bombing”.

Have you read?

In a world of serious strategic risks – pandemics, broad-scale cyberattacks, geopolitical upheaval, climate change – a systemic increase in overall cyber resilience is a necessity. So, how do businesses and organizations speed up cyber resilience-building? By reporting it.

The power of deliberate cyber resilience

Cyber resilience is a matter of survival. Sustainable value generation requires companies – and any type of organization, for that matter – to weather shocks to the system and learn from them. In a post-COVID world, these disturbances are more likely than not to affect a company's digital assets and processes – exactly those assets that have allowed the organization to function during the pandemic.

In a recently published white paper, Cyber Resilience ESG Reporting: Transparency Imperative or Security Nightmare, the authors define cyber resilience as:

an organization's ability to sustainably maintain, build and deliver intended business outcomes despite adverse cyber events. Organizational practices to achieve and maintain cyber resilience must be comprehensive and customized to the whole organization (i.e. including the supply chain). They need to include a formal and properly resourced information security program, team and governance that are effectively integrated with the organization’s risk, crisis, business continuity, and education programs.

First, entities must have in place detailed and actionable enterprise risk, crisis management, data protection and business continuity programs that incorporate cyber and virtual components. Many entities don’t have these essential resilience-building measures in the first place – at least not until they suffer a material crisis.

A close second is building a robust and comprehensive cybersecurity program with effective governance, practices and protocols that are kept up to date, continuously implemented and improved, and which include a laser focus on periodic training and cyber hygiene for all employees and relevant third parties.

This is a big ask for organizations, many of which have just started to understand the importance of cyber resilience. Leaders must step into the shoes of stakeholders and ask the following questions:

From the employee perspective: Am I cyber-safe working from home?
From the board perspective: Do we understand our digital risks? Are they managed appropriately?
From the partner or customer perspective: Is my IP safe from cyberattacks? Can the service be reliably offered?
From the shareholder and investor perspective: What is my company doing to preserve and protect my ownership interest in an environment of heightened risk?

Business leaders agree that reporting on cyber resilience is important. Image: Swiss Re Institute

Adding transparency to the security equation

How do stakeholders know if an entity takes cyber resilience seriously? Currently, they don’t.

In this age of serious and existential risk, thoughtful cyber-resilience reporting is important to creating overall cyber resilience. Why?

It creates transparency for external stakeholders to allow for more informed decision-making. Stakeholders receive important information about the sustainability of the performance of a company, which allows them to make decisions about whether to buy stock, enter a partnership or purchase a product or service.
It promotes financial value preservation and creation. Appropriate cyber-resilience programs, practices and talent – and an ability to report on them externally – promote greater trust in a company’s products, services and brand. This, in turn, can lead to earnings above and beyond a competitor who does not have the same trust.
It contributes to increased internal resilience building. An organization which focuses on cyber-resilience reporting will be better equipped to build a stronger internal culture to combat cyber risk.
It enhances reputation directly linked to transparency and care. A company that fosters transparency and publicly demonstrates general care and understanding of the expectations of key stakeholders will not only protect its reputation; it may very well create reputational opportunity and intangible value with other external stakeholders, too.

Discover

How is the Forum tackling global cybersecurity challenges?

The World Economic Forum's Centre for Cybersecurity at the forefront of addressing global cybersecurity challenges and making the digital world safer for everyone.

Our goal is to enable secure and resilient digital and technological advancements for both individuals and organizations. As an independent and impartial platform, the Centre brings together a diverse range of experts from public and private sectors. We focus on elevating cybersecurity as a key strategic priority and drive collaborative initiatives worldwide to respond effectively to the most pressing security threats in the digital realm.

Learn more about our impact:

Cybersecurity training: In collaboration with Salesforce, Fortinet and the Global Cyber Alliance, we are providing free training to the next generation of cybersecurity experts. To date, we have trained more than 122,000 people worldwide.
Cyber resilience: Working with more than 170 partners, our centre is playing a pivotal role in enhancing cyber resilience across multiple industries: oil and gas, electricity, manufacturing and aviation.

Want to know more about our centre’s impact or get involved? Contact us.

A call to action

Would reporting increase the overall maturity of cyber resilience on a large scale? Thoughtful, properly developed reporting standards could help businesses focus on building cyber resilience – just as financial and ESG disclosure have nudged companies towards more transparent, stakeholder-centric and resilient financial, operational and governance standards.

Transparency will foster a more cyber-resilient future, and some form of reporting akin to ESG reporting is inevitable. Now is the time for the private sector to think this through and develop potential solutions in order to avoid less effective – and more onerous – measures imposed on them in the not-too-distant future.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.