Over the last 12 months we’ve seen the ripples of natural, man-made and political upheaval spread far and wide; and environmental, technological and political changes continue to highlight new uncertainties as global trends set new domino chains in motion. All of these have highlighted the need for organizations to create stronger links between their c-suites, operational managers and partners to produce the required integrated and rehearsed responses.
At the beginning of 2021, key geopolitical risks on the radar included fragile global supply chains, ongoing US-China tensions, climate and sustainability, and the deepening web of cyber risks and digitalization. As the risk landscape continues to evolve, the risk advisory and insurance industries are increasingly reliant on better risk insights and innovation. No single institution has the resources or breadth of knowledge to single-handedly answer all of the questions around the quantification and management of risk and opportunities. Understanding risk and driving resilience are still best met working in partnerships and embracing the talents of people across the globe.
Earlier this year the Willis Research Network team joined forces with WTW’s cyber and geopolitical risk experts to explore the emerging, converging and evolving world of geopolitical risk and cyber. With the emergence and importance of cyber risk increasingly accelerating, the opportunities and threats of the risks of cyber increase for businesses of all sizes.
The world is sitting on the cusp of, if not already immersed within, a 4th industrial and digital revolution, and there are clear business benefits and opportunities associated with the continued emergence and advancement of technologies within the cyber space. According to the UK Government’s own website, ‘technological breakthroughs in areas from artificial intelligence to bio-technologies are heralding a revolution with the power to create, reshape and change almost every sector within the global economy’.
Undoubtedly these will and are transforming and evolving the way we live and work, and with the continued and increased convergence of technologies and operating environments across the virtual, physical and cognitive domains, will also bring new and emerging opportunities for businesses and economies . However they will also bring new opportunities for a wide range of global cyber threat actors. Cyber space is already considered a fifth war fighting domain by multiple nation states, joining the likes of Air, Land, Maritime and Space – however unlike those other environments, the cyber space is really the one that offers a foreign state or threat actor a high degree of deniability, anonymity and increasingly blurred lines when it comes to attribution, prosecution and potentially, retaliation.
For businesses, the current geopolitical and cyber risk landscape means that organizations are at heightened risk of being caught in the ‘virtual cross-hairs’ of what could be considered a global game of cyber ‘chess’, a seemingly endless and strategic game of testing an adversaries defensive (and offensive) capabilities whilst at the same time pushing to the boundaries the very definition of precisely what constitutes hostile or malicious nation state activity - a grey area that remains to this day, and a topic being explored by Elisabeth Braw through her work at the American Enterprise institute.
Key insights shared during the session included:
01
“Cyber impacts on every aspect and level of business, there is responsibility and accountability at every level, it can not be viewed in isolation. Turn a blind eye and it will bite hard, surprise, deceive, paralyze and even destroy a good business. BUT, we have great opportunity to tackle the threat, optimize technology and better understand the cyber and geopolitical relationships, its emergence, convergence and evolution. Most of our actions boil down to knowing and controlling what is connected into our operational systems, optimizing our threat intelligence capability, keeping our technology up to date and regularly rehearsing and testing the whole organization. Preparing for one crisis should be preparation for all potential crises” Andrew Hall, WTW Global Client Relationship Director, Strategic Risk Team.
02
“The industries that are at greatest risk are the ones that don’t take this seriously and invest both in prevention and resilience. Cyber threats are twofold: data loss (theft of IP, personal data, or $) or system availability (disruptive attacks) - with ensuing financial, regulatory and reputational risks. Cyber actors can be politically motivated (State or hacktavist) or financially motivated, or both. If your industry is critical national infrastructure - in the widest sense - then the direct destructive threat from State actors is clearly greater. The range of targets is wide and opportunistic.”
Before 9/11, the dots went unjoined and the warning signs were ignored. While we might discount the self-interested alarms from the cybersecurity industry, we are in the same place with cyber. Offence trumps defense. The trends are clear. Former Director of National Intelligence Dan Coats was clear: "the lights are blinking red.” - Steve Hill, Visiting Senior Research Fellow at Kings College, London
03
“We know already that the cyber employment stream is vastly under-resourced, there are reportedly over 3m vacant posts globally - for businesses and national agencies that is a huge problem, it’s a problem right now and I expect is going to be a problem going forward: how and from where can businesses build sufficient talent to not only develop these new technologies, but also protect and monitor them, and then respond to incidents when they occur? Going forward I think governments and businesses must look at how we can better share and develop the talent, the resources, and the technologies, available to us.” Dean Chapman, Cyber Lead, WTW
“A lot of the US tech talent comes from China – you can’t cut that off. It’s something we’ve been looking at with one of our WRN partners – Elisabeth Braw who started the modern deterrence research stream at RUSI and now continues it at the American Enterprise Institute - investigating how societies can tackle new national security threats without closing themselves off from globalized markets. And that starts with awareness of the risks so you can balance and make decisions on the opportunities.” Lucy Stanbrough, Head of Emerging Risks, Willis Research Network
04
“Every organization will have their own version of what’s critical to their operations. Is theirs a key supplier, a critical location, the failure of their strategy, a node of a transport chain? This is something we’ve been exploring in the Willis Research Network through the use of narrative storylines that weave together risks and trends that are often considered in isolation. We find the process of considering these futures helps move the narrative from prepare for one, to prepare for all. For example, critical infrastructure blackouts were recognized as increasingly important by the CRO Forum in 2020, whether through the risk of natural catastrophes, solar storms or geopolitically-motivated cyber attacks. Stressed global supply chains, geopolitics, and the failure to adequately invest in infrastructure networks could impact continuity of services, especially in a remote working environment.” Lucy Stanbrough, Head of Emerging Risks, Willis Research Network
“Tail-end risks are becoming more common - pandemics, weather events, crowds storming The US Capital or the European Championship final, IT outages, geopolitical crises - or some combination thereof. Boards will never eliminate these risks, but have a responsibility to mitigate and enhance their resilience to bounce back when they happen. Governance and culture matter more than technology. The best money that a Board can spend is to bring on someone with the right experience who sits outside the bureaucracy and internecine politics of an organization to provide 1) a strategic intelligence-led and risk-based perspective and 2) a two hour Board level cyber simulation that will bring home the reality of a major attack in terms not of the technical solutions, but of Board policy decisions and judgements around reputational external communications.” Dean Chapman, Cyber Lead, WTW
As organizations continue to embrace the digital capabilities, boards and their risk managers should remain proactive in reviewing their risk profiles and appetites and in identifying the relevant tipping points. Successful organizations will be those that are able to understand, assess and quantify the connected risks taking advantage of the opportunities and to mitigate or manage the risks associated with the geopolitical developments.
Businesses should continue to stretch their thinking, and where possible embrace intelligence led capabilities that help to reduce the surprise and shock of regional, national and global events. Using a range of tools and scenario planning, organizations can gain a holistic view of their risks and drivers, bringing more clarity to complex risk landscapes, and thereby gain competitive advantage. The WRN, Cyber and Geopolitical forums have a track-record of bringing together diverse expert panels, customized to our clients’ needs, to help in this process.
“Going forward, I think we would be safe in assuming that international affairs will continue in bringing about uncertainty to the global economy. Naturally, and as we have observed through multiple high-profile cyber security incidents on an international stage, with that will come an emerging and evolving cyber and geopolitical risk landscape for businesses and entire nations. Considered alongside the other lenses within our geopolitical risk framework, I believe cyber risk stands alone as the operating environment that will offer and enable an unrivalled opportunity for business innovation and both competitive and strategic advancement…..but it is also, perhaps, the one that could cause us the greatest harm.” Dean Chapman, Cyber Lead, WTW