Background on Global Cyberwarfare
In November 2022, during NATO’s Cyber Defense Pledge Conference in Rome, NATO Secretary General Jens Stoltenberg said, “Cyber is now a domain of operations equal to those of land, sea, air and space.” It is a bold statement and, as a nascent concept, cyber warfare is still a much-disputed term. However, it is arguably fitting when cyber tactics are designed to disrupt and dismantle supply chains, government operations and critical infrastructure beyond borders. In many respects, the cyberwarfare we’re seeing in the context of Russia’s war on Ukraine could be viewed as a war behind the war. This cyber activity can start long before any boots are on the ground and can continue in times of peace.
Russia’s invasion of Ukraine has included elements of cyberwarfare targeting critical infrastructure in the region, as well as allied nations. For example, there have been several ransomware attacks on munitions companies, defacements against U.S. airport websites, and a huge distributed denial of service (DDoS) attack that crippled one of the largest banks in Russia. Problems continue as the tactics, techniques and procedures (TTPs) of nation state actors are also used by financially motivated cybercriminals who target businesses indiscriminately.
The cyberwar stories we hear on the news are likely just the tip of the iceberg and often reflect the incidents that the nation state actors want appearing in the news agenda. There are many more nation state cyberattacks that are more covert. These are usually a combination of cyberattack methods and highly sophisticated espionage.
It is important to note that cyberwarfare and nation state cyber activity exists beyond the Russia-Ukraine war. We have recently witnessed cyberattacks that can impact a country’s entire population. The Pacific Island nation of Vanuatu lost access to emergency services, government emails and phone lines in November 2022. Today, many government officials and staff in Vanuatu continue to rely on personal email accounts to conduct day-to-day business. Hospitals are using pen and paper for vital communications.
The motivations and identities of cybercriminals and state actors can be difficult to obtain, which adds to the sense of cybersecurity uncertainty, and increases the risk of businesses being caught in the crossfire. Individual threat actors can operate under guidance or protection from a nation state or be directly motivated by financial gain. They can belong to multiple hacking groups, who all have different motivations and alliances. It is becoming harder to discern motives as a single attack, which could accomplish many goals. Regardless, these attackers will chip away, using multiple tactics and attacks, to achieve their objectives of destabilization or financial gain.
Economic Impact of Cyberattacks
Cyberattacks can hit the economy on both a micro and a macro level. Costs related to cybercrime are forecast to reach $10.25 trillion a year by 2025 worldwide, a figure on par with the world’s global energy bill. Meanwhile, global cybersecurity spending is forecasted to grow by more than 10% in 2022-23.
On an individual company level, calculating the economic impact of cybersecurity is challenging because there are both tangible and intangible costs. Compliance is a useful starting point because financial penalties are widely documented and easy to track over time. Indeed, the average cost for organizations experiencing non-compliance issues is now $14.82 million, a 45% increase from 2011. In 2021, the GDPR fines alone reached $1 billion. The financial cost of non-compliance is already significant and is becoming even more so following mandatory reporting from CISA and the introduction of CISA’s first strategic plan.
Many cyber incidents have an immediate and concrete cost, whether it’s a ransomware payment made, valuable IP stolen or loss of productivity due to operational downtime. There are also costs associated with each stage of a cyber incident, including investigation, remediation and notifications/disclosures. The latter are the most complex, time-consuming and costly element of a breach—where damages to reputation, loss of value and litigation challenges occur.
Our CFO research, Cyber Risk and CFOs: Over-Confidence is Costly, found that seven out of 10 companies lost 5% or more of their valuation following their largest cybersecurity incident in the previous 18 months. According to Sustainalytics, a major cyberattack influences a firm’s stock price for 50 trading days. Companies experiencing cyber incidents significantly lag the market and sector benchmark one year later as well. Returns for these firms on average are -0.65% after the cyberattack, whereas the average return in the year prior to the incident was +8.47%.
When firms increase their cybersecurity spend or take a hit to their valuation because of a data breach, they may either pass the higher cost on to customers in the form of higher prices, generating inflation, or they may accept margin compression, resulting in lower investment and employment and dragging on growth. This is yet another unseen way that cybersecurity uncertainty can impact the wider economy.
Responding to Cyber Risk in a World of Economic and Geopolitical Uncertainty
Russia’s war on Ukraine has prompted a change from a “whole of nation” approach to cybersecurity to a “whole of society” approach. In line with the World Economic Forum’s call for “Cooperation in a Fragmented World,” we are likely to see more cooperation in the future between the public and private sectors. Companies should be in regular touch with the public sector regarding cybersecurity best practices and industry regulations, for example.
As a global provider of end-to-end cybersecurity services, we know the scale and complexity of the challenge in front of us. We also know that there is no silver bullet solution. However, there are ways for organizations to regain a sense of control when the world around them feels like it is spiraling.
The key principles of cybersecurity involve detecting threats early, being prepared to respond confidently and effectively while being cognizant of regulations and legal requirements. There’s a combination of tech, people and process decisions that need to be made by every organization, which span penetration testing, compliance, threat detection and response, and breach notification.
In response to the current climate of cyberwarfare and rampant ransomware activity, boards should also stay in close contact with their security leaders and CFOs. They must understand the likely financial exposure a single cyber incident would cause, as well as the impact of cyberattacks hitting multiple organizations, governments and critical infrastructure simultaneously. These scenarios need to be built into financial planning.
For anyone following the news from Davos, expect to see cybersecurity assume center stage alongside the most important challenges facing the global economy in 2023. We will be watching intently because we believe that cyber risk will continue to impact markets and shape business decisions for the foreseeable future, as the uncertainty of 2022 looks certain to continue.