The number of cyber attacks worldwide increased significantly within the past year. In the second quarter of 2024 alone, the number of reported incidents increased by around 30% compared to the same period last year. In 2023, the number of cyber attacks in Switzerland increased by 61% compared to the previous year. Almost half of all large Swiss companies were attacked at least once by cyber criminals. Current findings suggest that this trend will intensify throughout the course of the year.
In view of this trend, the Federal Council published a report this summer that emphasizes the need to coordinate prevention and repression, while at the same time calling for even greater cooperation between various stakeholders and more intensive preventive work in order to protect the population and businesses.
Helvetia Insurance highlighted early on the need for increased cooperation between business, science and government, especially in order to minimize the risks of large, systemic cyber attacks, which require high cover capacity and for which – if they did occur – only a fraction of the expected loss would actually be insured.
Market penetration for cyber insurance still negligible
In order to discuss the possibilities of minimizing this insurance gap and to show possible perspectives for the development of sustainable cyber resilience in Switzerland, well-known representatives from the fields of business, science and government came together for the second time since 2023 for a symposium entitled "Developing Cyber Resilience – Trends and Perspectives", on the initiative of Helvetia.
Host and Helvetia Switzerland CEO Martin Jara made it clear in his opening speech: "Although progress has recently been made in the fight against cyber crime, there are still obstacles that make it difficult to improve cyber resilience effectively." Martin Jara also believes the insurance companies themselves have a responsibility: "In recent years, the industry has provided balanced insurance offers for companies and private individuals and invested a lot in increasing resilience, yet market penetration is still negligible." However, the largest possible number of insured companies would be an important contribution to minimizing uncovered damage in the event of a major incident.
The Swiss Insurance Association (SIA) calculated the risk of a major systemic cyber attack for Switzerland at the end of last year in cooperation with the risk assessor Moody's RMS. Laurent Marescot, Senior Director and catastrophe risk management expert at Moody's, currently assumes that there is a one percent chance of a cyber incident in Switzerland each year that would entail a total economic loss of over CHF 2.5 billion. When calibrating a corresponding risk model, the fact that comparable historic events cannot be used in the case of cyber incidents and that the effect of such events – unlike damage due to natural disasters – cannot be clearly defined geographically turned out to be particularly challenging.
Resilience of society must be increased in the long term
To reduce the existing insurance gap, it is essential from the point of view of the business representatives present to sustainably improve the resilience of Switzerland as a business location in the long term. However, according to Klaus Julisch, partner at Deloitte (Switzerland) AG, human nature often stands in the way. An attitude of "what may not be, cannot be" and a naive faith in technology often open the door to attackers. In the current situation, however, it is almost essential for survival to check every IT project for its cyber security and to keep this monitoring up to date. Projects that do not meet these requirements are no longer justifiable today or, in the words of Klaus Julisch: "Digital projects that cannot afford cyber security do not have a business case."
Marc Holitscher, National Technology Officer and Member of the Board at Microsoft Switzerland, focuses on the possibilities of artificial intelligence in building resilience against cyber criminals: "AI already allows for a coordinated defence across all threat vectors in order to ultimately ensure comprehensive transparency and to combat possible threats." But just as important from Holitscher's point of view is the know-how relating to strategies and procedures of cyber criminals, which today can be built up much more efficiently thanks to generative AI solutions, which in turn allows for a more targeted fight against possible attacks.
Responsibility starts with the individual IT user
Ultimately, as all speakers agree, an efficient fight against cyber attacks must start with the users of IT infrastructures. This was also highlighted by Christoph Guntersweiler, Head Engineering Switzerland at Helvetia, who in his remarks pointed out the importance of continuing to raise awareness among the workforce of SMEs and large companies: "Only those who, in addition to other measures, regularly and comprehensively sensitize in-house users to cyber risks can consistently protect themselves against attacks."
Large-scale global loss potential
Despite the high awareness of cyber risks, systemic attacks by criminal or political players on critical infrastructures remain a latent risk. Taking into account the existing insurance gaps, the global net loss potential turns out to be colossal. Kai-Uwe Schanz, Deputy Managing Director of insurance think tank The Geneva Association, focuses on the global dimensions of coordinated malware attacks or global cloud outages with losses ranging from USD 50 billion to USD 200 billion. In the event of targeted attacks on critical infrastructures such as the global power supply, the consequential loss would amount to more than USD 1,000 billion.
Public-private partnerships as a potential solution
From the point of view of The Geneva Association, public-private partnerships (PPPs) are indispensable for such incidents. The COVID pandemic in particular showed that international risk scenarios and their costs can only be mastered with the involvement of as many state and scientific institutions and organizations as possible and through innovative approaches.
Manuel Suter, Deputy Director of the National Cyber Security Centre (NCSC), Bernhard Maissen, Director General of the Federal Office of Communications (OFCOM), and Vincent Lenders, Director of the Cyber Defence Campus at the Federal Office for Defence Procurement, proved that the dimensions of the cyber threats are taken seriously by the state. All experts agree: the risk of cyber attacks will continue to rise. The reasons for this include an ever-greater availability of hardware and software worldwide, steadily increasing computer capacities and, as a result, ever-increasing networking. At the same time, the extent to which criminals can be prosecuted via international sanctions is still limited.
Switzerland can contribute to international cooperation
But Switzerland is officially ready – and that's the good news – to make its contribution towards greater cyber security. The NCSC proposal is also interesting: building on its role as a mediator in international conflicts, Switzerland should make Geneva available as a venue for international debates on cyber security and actively promote an open, free and secure cyberspace at an operational and strategic level, as well as the comprehensive recognition, observance and enforcement of international law in the digital arena. As a link between universities, industry and the federal government, the Cyber Defence Campus already operates five innovative PPP models, which could also serve as blueprints for further initiatives of this kind.
Politicians have to create optimal framework conditions
The bottom line is that Switzerland is doing a lot in all areas to stand up to cyber crime. Ultimately, however, in order to be prepared for major cyber incidents, increased cooperation and coordination between all relevant stakeholders in business, science and government is essential. However, this requires the full support of the political partners. The final panel discussion with the members of the National Council and security politicians Michael Götte (SVP/SG) and Fabian Molina (SP/ZH) showed that the topic is recognized at this level. Despite the differences in the specific structure, both members of the Federal Council's Security Policy Committee (SPC) agreed that Switzerland urgently needs to catch up on cyber security and that it is now up to the politicians to create optimal framework conditions as quickly as possible for the stakeholders involved.