Discover how we focus on cyber in the FM Global Resilience Index
Benedict McKenna, FM Global
Resilience is the capacity for a business to quickly recover from disruption. Under pressure, a resilient organisation is able to quickly adapt to challenges and maintain continuous business operations that safeguard people, assets and reputation. However, due to risk factors that vary across countries, it is difficult to predict the specific challenges that businesses may face.
The FM Global Resilience Index casts a light on the resilience of the business environments of nearly 130 countries and regions. This information allows businesses to make more informed risk management decisions and allows them to take steps to combat future challenges. Furthermore, as more businesses seek to operate in emerging markets, information about economic stability, the dependability of supply chains and degree of risk will become increasingly useful. The index was developed in 2014 and is updated annually. This regular update allows users to compare the resilience of each country’s business environment on a year-to-year basis, enabling users to identify broad trends across the world and within nations. The most recent data highlights the real and growing threat of cyber-attacks. One of the challenges that cyber poses for businesses is that the lack of geographical borders has allowed cyber-attacks to spread quickly if unchecked. To help businesses understand this global threat, the FM Global Resilience Index ranks the inherent cyber-risk of indexed countries and regions, while simultaneously providing five years of historical data analysing this potential threat.
How it works
Creating a comprehensive index has involved identifying many of the main causes of disruptions and the drivers of recovery. The data that the index rankings are based on represent those elements inherent to a country that can demonstrably have an impact on resilience. Importantly, for a driver to qualify, it must have a clearly disruptive effect on a country’s resilience. The process identifies the following 12 drivers that can have an adverse effect on the resilience of a country’s business environment, which fit into three categories: economic, risk quality and supply chain:1 1. Economic – The political and economic impacts on a country’s resilience. Productivity, political risk, oil intensity and urbanisation rate. 2. Risk quality – Exposure to natural hazards, natural hazard risk quality, inherent cyber-risk and fire risk quality. 3. Supply chain – Control of corruption, quality of infrastructure, local supplier quality and supply chain visibility.
There are six steps involved in creating the index: 1. Annual data from nearly 130 countries and territories is collected for each of the 12 drivers. 2. The data is organised into a consistent data set. 3. The calculation of z-scores is applied to standardise the data. This allows for comparison between the data sets. 4. The z-scores are converted into a scale of 0-100. 5. The scores from the 12 drivers are combined with equal weighting to form the index. 6. Countries such as the US and China are presented as three regions due to their geographical spread. In both China and the US, different regions are exposed to different natural hazards, such as wind, flood and earthquake. The index’s inherent cyber-risk rankings for countries are based on two contributing measures: a country’s civil liberties and its level of Internet penetration. With a high Internet penetration rate, citizens have greater access to the Internet, enabling access to the benefits this brings. However, greater access to the Internet provides increased opportunity for hostile actors to engage in damaging activities. Likewise, countries with more civil liberties have a higher potential ability to protect themselves from cyber-attacks. Notably, Taiwan’s inherent cyber-risk rank increased from 107th in 2017 to 50th in 2018. This was driven by an improvement in Taiwan’s civil liberties and a slight drop off in those with access to the Internet, from 88% to 80%.
“However, businesses should not despair, as there are a number of proactive steps that businesses can take to mitigate the damage from cyber-attacks”
Closer to home, the UK’s inherent cyber-risk rank decreased from 84/130 in 2017 to 91/130 in 2018. This change in rank was due to an increase in the UK’s Internet penetration. Cyber-risk is constantly evolving, creating a very difficult climate for all types of organisations. However, businesses should not despair, as there are a number of proactive steps that businesses can take to mitigate the damage from cyber-attacks.
With the recent UK government statistics revealing that nearly seven in 10 large companies have experienced a cyber-security breach or attack, it is clear that businesses need to take measures to minimise the risk of this happening and to be prepared to swiftly mitigate the impact should a cyber-attack occur.2 While the constantly evolving nature of cyber-risk is a challenge to business resiliency, the following offers some practical advice on preparedness:
Governance: It is essential that the C-Suite understands that cyber-risks are not just the responsibility of the IT department. In most cases, cyberattacks and data breaches occur from employees sharing sensitive data or opening fraudulent emails – something which can be reduced through cyberrisk education.
Preparation: Strategies such as ensuring that computers and Internetconnected devices are updated to have the most recent security features. Business continuity plans and holding statements allow for quick responses and action if a cyber-attack occurs.
Back up your data: Having a secure back-up plan in place will benefit organisations if an attack does occur. While a back-up plan won’t prevent an attack from happening, it will help to ensure that organisational data is not lost.
Change passwords frequently: Many cyber-attacks occur because passwords are too simple. Hackers are able to use technologies to take encrypted passwords and crack them. This method is sometimes called ‘brute forcing’. By employing a sophisticated password strategy, the likelihood of a cyber-attack is significantly decreased. Passwords should use a combination of uppercase and lowercase letters, as well as symbols or numbers. Passwords should also be changed once every three months.
Awareness: Cyber-attacks can take a variety of forms, so staff should be trained to ensure they are aware of the different forms of cyber-attacks. Emails containing attachments with viruses, vishing or hacking can all lead to data breaches.
Unfortunately it is not possible to fully eliminate the risk of a cyber-attack; hackers will continue to evolve new and sophisticated methods to get around even the tightest of security. Therefore a recovery plan should be in place covering such areas as:
- How to go about identifying and isolating a security breach in an acceptable recovery time to minimise impact on the business.
- Mobilising a dedicated response team, identified in advance.
- Notifying information regulators of any breach involving public/third party data.
- Engaging PR consultants to manage the various lines of communication and reassure the wider public.
The presence of a recovery plan can help to reduce the long-term reputational damage that businesses can suffer after the public is made aware that they have suffered a significant cyber-attack or data breach. The recovery plan will ensure that a business is resilient – and a resilient business will be at a competitive advantage to its non-resilient competitors. Finally, organisations should partner with an insurer that understands the cyber risks faced, not only offering practical prevention advice but also able to respond in the event of an attack.
This article first appeared in the Network Security newsletter.
About the author
Benedict McKenna is vice president, FM Global London Operations claims manager, based in Windsor, UK. In this role he is responsible for management of claims for London Operations’ written accounts, as well as AFM UK. Additionally, he manages loss handling activities across UK, Middle East and Africa. He leads a team of in-house adjusters and claims examiners, and also conducts regular policy training sessions with clients and brokers, as well as attendance at seminars and market initiatives both in the UK and EMEA region.
1. ‘2018 Resilience Index Methodology’. FM Global. Accessed Oct 2018. www.fmglobal.com/~/media/Files/ FMGlobal/Resilience%20Index/ Resilience_Methodology.pdf?la=en.
2. ‘Almost half of UK firms hit by cyber breach or attack in the past year’. Department for Digital, Culture, Media & Sport and the National Cyber Security Centre, 19 Apr 2017. Accessed Oct 2018. www.gov.uk/ government/news/almost-half-of-ukfirms-hit-by-cyber-breach-or-attackin-the-past-year