Airmic
Log in Join now

Cyber risk – companies know there is an issue but still do not fully understand it

Published on Thu, 31/07/2014 - 23:00

Cyber risk has become a big corporate issue, but most companies still do not fully understand what it could mean for them, says Stephen Wares of Marsh.

It came as little surprise that cyber risk featured prominently yet again in the World Economic Forum’s Global Risks 2014 report, as senior management continues to gain greater understanding of the extent of the cyber threat in today’s rapidly changing technological environment.

The Marsh UK and Ireland 2014 Cyber Survey Report discovered this to be particularly true of domestic companies, after finding that just 1% of respondents’ organisations have “no understanding” of cyber risk. This increased awareness has propelled cyber risk up corporate agendas across the UK and Ireland, with participants indicating it now appears on 82% of risk registers.

Acquiring a complete understanding of the cyber threat, however, requires having a comprehensive knowledge of both the external risk as well as the liabilities that are specific to your company. From the results of our survey, it appears that the majority of domestic organisations are lacking the data to make this a reality.

When we asked participants to our survey whether their organisation has been subject to a cyber attack, successful or otherwise in the past three years, we were surprised to find that just 34% said yes and that 62% did not know at all. This figure appears remarkably low when contrasted with the UK Department for Business Innovation and Skills’ 2014 Information Security Breaches Survey, which foundthat 81% of large organisations and 60% of small businesses experienced a cybersecurity breach in 2013. It suggests, worryingly, that many organisations may have fallen victim to non-material attacks to which they remain unaware.

To make matters worse, we found that more than two thirds (68%) of companies in the UK and Ireland have not estimated or assessed the financial impact of a cyber attack on their business. It is therefore evident that boards and risk professionals are lacking in sufficient information to adequately assess the risk at hand and, as such, determine whether it is value for money for them to transfer the risk to the insurance market.

Despite this, we were encouraged to see more than half (51%) of respondents indicate that their organisations currently buy or plan to seek quotations for cyber cover in next 12 months. This suggests that nearly 20 years after the launch of the first cyber policies, cyber insurance has finally come of age as a recognised and valued class of insurance by businesses in the UK and Ireland.

Nevertheless, the 14% take-up rate is still low. There is a lot of work to be done by organisations before we can expect to see a marked rise in the uptake of cyber insurance, much of which comes down to their being able to make an informed value judgement on its worth.

A major barrier to this taking place in the near-future is the fact that more than half (57%) of firms are still heavily reliant on their IT departments for the final word on cyber security. Only with an increasing ownership of cyber risk at board level and the implementation of a holistic approach to risk management will we begin to see improved and bespoke mitigation, and a subsequent uptake in cyber cover as organisations are better able to identify and quantify their risks.

And the market’s focus is on the right issues. Asked about where respondents believe the greatest threats originate from, breach of customer data and business interruption were highlighted as the two greatest concerns – the two subjects which, for years, have been at the centre of cyber products in the insurance market.

 

 Stephen Wares is EMEA Leader for Marsh Cyber Risk Practice

Stephen Wares