Cyber Threats and Climate Change Top Business Risks in 2024

Cyber incidents keep gaining ground as companies struggle with security

Cyber incidents have consolidated their ranking as the top business risk globally in 2024, according to the latest Allianz Risk Barometer. For the first time since the annual corporate risk survey began in 2013, cyber is at pole position in all regions across the globe ahead of business interruption (BI) and natural catastrophes – the latter rising to #3 globally as companies feel the impact of climate change events. Cyber incidents and ransomware attacks are already costing businesses billions with the final bill hard to calculate across whole supply chains.

The Global Cybersecurity Outlook 2024 report highlights a worsening threat landscape as cyber criminals share sophisticated tools and exploit new vulnerabilities in supply chains and infrastructure links. Small and medium sized companies are increasingly targeted. Climate change brings added vulnerability such as increased phishing scams or ransomware attacks following storms or floods. Conflict also spawns cyber attacks: security experts warn over state-backed campaigns out of Russia as geopolitical tensions continue in 2024.

“Two years of working from home, supply chain issues, inflation and recession worries have created a perfect storm of vulnerability for companies,” says Joachim Müller, CEO of Allianz SE. “In this high-risk environment it’s reassuring to see companies awakening to the benefits of cyber resilience and addressing existing vulnerabilities in systems which have evolved over decades. But there is still work to do spreading awareness across whole supply chains and with medium-sized companies often poorly protected and facing restraints on investment.”

Table 1: Top 10 global business risks results comparison 2022 vs 2023

Climate change entering top three risks as weather impact bites

Climate change is impacting companies right now as extreme weather events translate into business interruption events – storms, floods, even heatwaves – wreaking havoc on supply chains already battered by Covid. Business interruption drops one position to #2 but remains a key peril. Macroeconomic developments enter the global top 10 for the first time (#6) highlighting inflation and recession fears. Meanwhile pandemic outbreak drops slightly down the ranking as companies learn to operate in the endemic phase – albeit with the risk of Covid surges still requiring agility (China in 2022).

Africa stands out as the only region where pandemic outbreak retains the top spot in 2024. Political risks and violence jumps to #6 globally reflecting events such as the Russia-Ukraine war – although it ranks higher still at #3 for companies in Europe. Shortage of skilled workforce also re-emerges in the top 10 biggest risks, reflecting inflation and a lack of digital skills among talent pools.

“The good news is that companies have become adept at managing Covid-related disruption,” says Shanil Williams, Allianz Global Corporate & Specialty (AGCS) Chief Underwriting Officer and global head of Claims. “But climate change is impacting businesses more frequently and intensely as weather events become more extreme. Companies need to brace themselves for further disruption – review existing business interruption protections and build a more climate-resilient supply chain as today’s vulnerabilities may quickly become tomorrow’s threats.”

Smaller companies facing rising cyber threats and cost pressures

Cyber threats have also consolidated the number one risk for small and mid-sized businesses in 2024. Previously it ranked #2 behind changes in legislation and regulation. Cyber incidents have become bigger, more sophisticated and expensive – now averaging over $1.5mn in losses according to Allianz. Ransomware campaigns are still impacting companies in sectors like tech and healthcare but attackers are diversifying into new targets like critical infrastructure to maximize profits and disruption.

“Cyber criminals are sharing sophisticated tools and exploits widely on forums and ransomware gangs are refining their business models further,” says Michael Bruch, AGCS Chief Underwriting Officer Liability and Financial Lines. “Attackers buy access to company systems from other hackers or exploit vulnerabilities. They aggressively research companies to establish ransom values before encrypting data. And hackers increasingly pressure victims with threats to leak sensitive or embarrassing information if ransom demands are not met.”

The number of ransomware incidents that AGCS has worked on has increased significantly – up by 25% over the past two years. The average cost of cyber crime property/casualty insurance claims is also getting bigger – rising 30% year-on-year in 2021 to around $660,000. The largest claims can run into the tens or hundreds of millions: a $100mn US healthcare breach alone incurred over $100mn loss in business interruption and cyber extortion damage.

Shortage of skilled workforce also emerges as a new risk in the top 10 risks for mid-sized companies (#8), possibly reflecting inflation or lack of digital skills among employees that are needed to help smaller companies transform further in areas like technology. Changes in legislation and regulation which held the top spot before drops down to number two – possibly a sign of adapting to issues like sustainability reporting and regulatory disruption following Covid and Brexit. Meanwhile macroeconomic turbulence like rising inflation enters the top 10 risks at number 10, highlighting the cost pressures also facing smaller companies.

Table 2: Top 10 global business risks small and mid-sized companies 2022 vs 2023

Financial impact from cyber incidents getting bigger

In total, over 2,700 cyber-related incidents were analyzed between 2015 and 2021, with claims increasing by almost 70% over the past three years alone. The financial toll is also getting larger – the average claim is now in excess of $660,000– up 30% compared to 2020 – while the average number of claims per policy is accelerating. Cyber insurance claims are notably more expensive, more frequent and much more severe than conventional Property claims globally, according to Allianz.

The largest cyber claims are now over $100mn but most (90%) fall in the range of $1.4mn to $53mn. Assuming the long-term trend of a 10% annual increase continues, the average cyber claim will reach $830,000 by 2025. Healthcare, pharma and biotech clusters generate almost a quarter (24%) of all cyber claims analyzed but events are diversifying across sectors such as hospitality, retail, banking, manufacturing and critical infrastructure entities.

Malware and ransomware campaigns account for well over 50% of the value of all claims analyzed while loss or damage of data represents almost a third (32%) of the total. Business interruption is also a significant cost, making up 10% of the total. Incident response costs associated with forensic, legal and public relations services are also increasing – on average accounting for over half the total financial impacts in cyber claims.

“Businesses need to invest in strengthening cybersecurity and resilience,” says Bruch. “Many companies still have basic failures in areas like backup procedures or software updates. Our claims analysis shows theyneed to test contingency plans regularly because people are central to cyber resilience. Enhancing the cyber skillsets of employees is often overlooked but vital in the hybrid working world.”

Employee awareness and technical security controls are cited as the main preventative actions that could assist companies improve cyber resilience and help defend against rising threats, according to the latest AGCS Cyber Risk Survey. Almost half (44%) of respondents had already put additional cybersecurity measures in place following geopolitical tensions arising from the Russia-Ukraine war, reflecting the growing cyber impact.

Outlook: Cyber threats diversifying; SMEs under pressure

The cyber threat landscape will continue to diversify in 2024, challenging companies in areas such as supply chain vulnerabilities, infrastructure links or growing compliance legislation around digital responsibility and privacy. Cyberwarfare also remains a background risk while ransomware attacks steadily evolve. Extortion demands will further refine as attackers share information on victims’ financial status, negotiate with targets in online chats and coldly follow up with public leaks, causing reputational damage if companies resist.

Small and mid-sized companies now increasingly face the same cyber and ransomware risks as larger companies but often lack resources like funding and cyber expertise. Cyber criminals will further exploit this imbalance with campaigns targeting perceived “weaker” links in supply chains. Still many smaller companies in sectors like manufacturing remain too underinsured for business interruption hits or lack contingency plans for cyber incidents.

· Supply chain attacks to spread: Cyber criminals follow the money – targeting bigger suppliers in manufacturing, energy, agriculture and technology gives access to higher value victims across various sectors and countries. Smaller companies often lack visibility of third party vulnerabilities.

· Cloud threats gather: Software supply chain compromises and misconfigurations in managed service providers or the cloud will expose services and clients’ data. Multi-tenant environments are also increasingly targeted for ransomware campaigns.

· Infrastructure comes under fire: Attackers seek out high-value victims like hospitals, defense or manufacturers. Shutting down production lines could extract bigger extortion demands. Targets will spread to other critical infrastructure like transport, energy or utilities.

· Compliance piles pressure: Firms already grappling with sustainability disclosure rules now face stringent cyber compliance as digital responsibility climbs legislative agendas following landmark privacy legislation like the EU’s General Data Protection Regulation. Fines will get bigger.

· Unprepared SMEs feel the hit: Smaller companies often underestimate extortion demands and use systems like cloud files to facilitate payment. But they can suffer disproportionately large BI hits from attacks – 25% never fully recover.

Conclusion

The Global Cybersecurity Outlook report highlights a perfect storm of risks facing companies in 2024 with cyber threats now the top concern globally. Extreme climate events are also increasingly impacting businesses through loss of property, business interruption or global supply chains. Cost pressures from inflation and geopolitical tensions like the Russia-Ukraine conflict add further uncertainty.

Small and mid-sized companies now face the same sophisticated cyber threats as larger corporations but often lack their cyber resilience resources and protections. Attackers will further target perceived weaker links in supply chains to maximize profits. Companies urgently need to strengthen cyber security awareness and controls. But many smaller firms still underestimate extortion demands and lack contingency plans. Cyber insurance and resilience-building will be crucial tools to help survive the storm.

AiBot

Author

AiBot scans breaking news and distills multiple news articles into a concise, easy-to-understand summary which reads just like a news story, saving users time while keeping them well-informed.

To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.