Earlier this year, results were released from the seventh Emerging Risks Survey conducted by the Joint Risk Management Section, a collaboration of the Casualty Actuarial Society, Canadian Institute of Actuaries, and Society of Actuaries. In the series of annual surveys, the researchers strive to “track the thoughts of risk managers about emerging risks across time.” These trends, they explain, “are as important as absolute responses, helping risk managers contemplate individual risks, combinations of risks, and unintended consequences of actions." For instance, the researchers point out that we are at a crossroads in regard to risk management: Five years of intense management and regulatory activities around financial emergencies are giving over to other emerging risks that could span longer periods. Cyber risk is one of these emerging risks.
IT Business Edge’s Kachina Shaw asked Max Rudolph, author of the survey report, Society of Actuaries member, and founder of Rudolph Financial Consulting, about some of the survey’s results around cyber risk and risk management.
Shaw: Can you explain what makes a risk an “emerging” risk? At what point would the cyber security category of risks, for example, become a non-emerging risk, by most measurements?
Rudolph: A risk is an emerging risk if I expect it to increase in importance over the next 10 years or more. This allows the category to be very broad, ranging from nano-particles to pandemics to currency volatility.
When it ceases to be an emerging risk is very arbitrary, as many risks evolve over time. For example, pandemics were a major risk following the 1918 outbreak, but then receded back to potential risk until recently and still could result in a major event not seen in many years. To me, our survey has shown cyber security as a risk to spend resources, evaluating since 2009 when responses exceeded 20 percent. This showed a broad interest in the risk, so risk managers could no longer hide behind the herd mentality that no one else was considering cyber risk.
From the survey: “Cyber security has been a risk of growing importance, trending up from 21 percent in 2009 to this year’s survey where 47 percent listed it among their top five emerging risks. With the revelations of the National Security Agency (NSA) surveillance program and retail store Target’s breach of confidential credit card information, this heightened awareness has been justified and provided warning of the need for awareness and mitigation of this risk.”
Shaw: Are there specific types/varieties/categories of cyber security-related risks that your respondents made reference to?
Rudolph: No. Our research does not dive into specifics of these risks, although a risk combination question ties it closely to financial volatility, transnational crime and terrorism.
From the survey: “The evolution of the top four risks chosen provides evidence that trends can be relied on in this survey. The general continuity between surveys is very reassuring. The emergence of risks like cyber security/interconnectedness of infrastructure shows how concerns are evolving away from the Economic category.”
Shaw: Are there relationships, inverse or otherwise, among the top emerging risks identified in this survey that you would describe?
Rudolph: We primarily focus on the risks in isolation, but we do have a few questions looking at risk combinations. The top combination is financial volatility and blow up in asset prices. Other risk combinations focus on currency risk, terrorism, and cyber risk.
From the survey: “The survey again asked about concerns due to combinations of risks. Four of the top five combinations included Financial volatility, selected with Blow up in asset prices (7 percent), Chinese economic hard landing (4 percent), Liability regimes/regulatory framework (4 percent after not being rated previously), and Fall in value of U.S. dollar (3 percent). The top combinations not including Financial volatility consisted of International terrorism and Cyber security/interconnectedness of infrastructure with 4 percent, fourth overall.”
Shaw: I see that your survey document concludes that the cyber security risk level is predictive, rather than reactive to recent events. Is that a common situation, especially given that we have all been exposed to numerous reports of breaches and other cyber security events recently?
Rudolph: This survey closed prior to the Target breach. As it is the 7th survey we have been able to trend results. Going backward, cyber risk has steadily grown from 21 percent in 2009 to 47 percent of responses in 2013 with continuous (monotonic) increases.
From the survey: “Prior survey analysis has focused on anchoring, where respondents get pulled toward recent events. This year results do not confirm these tendencies, and the cyber security results point toward a predictive quality of the survey.”
Shaw: Any surprises in the data surrounding cyber security?
Rudolph: No. It continues to gain interest as a current risk as well as an evolving risk. It concerns me that the current push is to buy insurance rather than to improve practices, as that is the ultimate solution. Boards may feel the issue is addressed with insurance, but coverage will become unavailable if you are a repeat claimant.