The results of PwC's 25th Global CEO Survey on cybersecurity
of global CEOs from the financial sector are concerned about IT security.
fear that cyber risks will jeopardise their ability to innovate.
see cyber attacks as a threat to their ability to sell products and services.
of German CEOs see cyber attacks as the biggest business risk.
Cyber Security Leader at PwC Germany and EMEA
Tel.: +49 69 9585-5377
No topic currently concerns global CEOs as much as the increasing threats to IT security. 49 % of the CEOs surveyed said that potential attacks on digital infrastructures are currently among their biggest concerns − ahead of pandemic-related health risks (48 %) and macroeconomic volatility (43 %). Among German executives, the concern is much more pronounced with a survey score of 59 %. The CEOs see IT security incidents as endangering above all their ability to sell their products and services as well as their ability to innovate. Executives of financial (67 %) and insurance companies (64 %) are most concerned about IT security. The results of the global survey show that building cybersecurity skills in the workforce and on the board is currently one of the most important goals CEOs should focus on when transforming their organisation.
These are the findings of PwC's 25th Global CEO Survey, in which nearly 4,500 CEOs worldwide participated.
“Investment in cyber security has not kept up with the pace of digitization in the past 2 years. Although it's good to see c-suite awareness rising, it's time to shift cyber security from a compliance activity to one that is woven into business operations and enables business strategy.”
German CEOs have recognised the risk posed by cyber espionage, data theft, ransomware and other threats to their IT security. The fact that executives rank information security as their biggest concern at 59 %, ahead of pandemic-related health risks, reflects the seriousness of the situation. According to the global study, CEOs from the financial sector rate the threats most critically. In this segment, 67 % of respondents worldwide said cybersecurity posed the greatest business risk to them. The concern is not unfounded; companies from this industry fall victim to cyber attacks significantly more often than organisations from other economic sectors. In particular, the ongoing digitalisation of financial services has greatly increased the attack surface of these companies in recent years and represents a critical factor in risk management.
The operational impact of security incidents can be serious − both for the own company and for the customers. Cyberattacks cause trillions in damage every year and rapidly paralyse companies. In this context, both German and international CEOs see the greatest risk to their ability to sell their products and services (67 % in Germany, 62 % internationally). The assessment is quite justified − factories, offices and branches at a standstill were repeatedly the result of advanced cyberattacks last year. In Germany, 59 % of those surveyed also see their ability to innovate threatened by such attacks (internationally: 52 %). The development forces companies to subject their operational security to a comprehensive analysis and to continuously re-evaluate the protection of digital assets.
Cyber attacks have become the number one risk for CEOs. What factors are responsible for this?
Grant Waterfall: There are various reasons for this, which differ from industry to industry. Across markets, the increased pace of digitalisation is definitely a key factor in the growing exposure. Whether in manufacturing, the financial sector or public administration, the implementation of new technologies and the digitalisation of business processes always opens up new avenues for potential attackers.
The greatest uncertainty regarding IT security is in the financial sector. Is the sector particularly at risk?
Waterfall: Financial service providers have always been a key target for cyber criminals. These organisations move money around a lot and deal with large volumes of personal information making them attractive targets. Increased mobile banking has also contributed to more attacks recently. In addition, EU and national regulators are stepping up their focus on ensuring systemic risks related to digital resilience are addressed. DORA, the EU Digital Operational Resilience act seeks to harmonise Information and Communications Technology (ICT) risk requirements across Europe. At the same time, however, there is still a lack of proven measures and security technologies in many places. Therefore, I still see a great need for improvement here.
Concern about cyber risks is much more pronounced in Germany than in other countries. What is the reason for this?
Waterfall: Germany is playing digital catch up, supercharged by the pandemic. This has driven a dramatic increase in CEO awareness in the past 2 years. CEO´s worry about the new security risks and exposures of remote work, cloud adoption, new digital channels to market and smart factories and the effect of these on their ability to deliver business outcomes. This is compounded by the increased threats, in particular what can be near existential threats from ransomware.
What can CEOs do to better protect themselves against the omnipresent threat scenarios?
Waterfall: First of all, IT security must become a fixed key figure in the boardroom and corporate objectives. In order to effectively anchor the topic at the board level, a chief information security officer is needed who bears responsibility and forms cross-functional teams. In addition, CEOs should incorporate security considerations into every important decision − such as acquisitions or the introduction of new products. In the medium term, the reduction of complex IT infrastructures is also an important goal in order to permanently increase security and avert potential damage.