Canadian Underwriter
News

Two-thirds of U.K. polled firms not assessing financial impact of a cyber attack: Marsh


September 19, 2016   by Canadian Underwriter


Print this page Share

Almost two-thirds of surveyed large and medium-sized organizations in the United Kingdom do not conduct or estimate the financial impact of a cyber attack, notes a new report issued Monday by Marsh.

Despite a 56% rise in boardroom ownership of cyber risk, notes a Marsh statement, 64.6% of firms taking part in the survey are still failing to conduct or estimate the financial impact of a cyber attack.

With just 35.4% of organizations doing so, this is actually down from 39.9% in the 2015 results, states Marsh’s UK Cyber Risk Survey Report: 2016.

Based on the responses of risk professionals and chief financial officers, the report explores organizations’ attitudes towards the cyber threat, their management control processes, and their understanding and use of cyber insurance as a means of risk transfer.

For those organizations that have estimated financial impact, 47% of respondents report the worst loss value would be £1 million or less; 16% report it would be £1 million to £2 million; 16% report it would be £2 million to £5 million; and 21% report it would exceed £5 million.

The low percentage of firms conducting or estimating financial impact clearly illustrates there is some way to go in terms of applying basic risk management techniques, such as impact measurement and quantification of potential losses.

“Conducting financial impact analysis is the next step for these organizations and one which is necessary to put them in a strong position to eventually mitigate and/or transfer the risk,” states the 2016 report.

“Loss severity analysis for cyber risk requires well-developed loss scenarios that include enough detail to be able to identify the specific financial impact on the organization,” the report adds.

That 67.6% of polled organizations “have planned for sources of funding in the event of a cyber attack is encouraging; however, we would question the adequacy of these methods when just 35.4% of them have conducted or estimated the financial impact,” Marsh notes.

Nonetheless, survey findings show understanding around cyber risk has increased over the past 12 months.

In fact, more than eight in 10 – 83.8% – of respondents report having a basic or complete understanding of their company’s exposure to cyber risk compared to 60.8% last year.

Less positive, though, 75% of organizations taking part do not have a “complete” understanding of cyber risk, notes the report. Again, this suggests there is “still a lot of work to do to improve understanding and management.”

In all, 71.8% of companies represented by respondents to this year’s survey place cyber as a Top 5 or Top 10 risk on their corporate risk registers compared to 45.8% in 2015.

However, Marsh emphasizes in the report, “we see many companies develop good risk registers and stop there in their efforts at risk management. The risk register is the first step in the risk management process – not the last.”

Findings indicate 30.3% of polled businesses have board-level ownership of cyber, up considerably from 19.4% in 2015.

“Today, it is no longer just about data security – although, obviously, this remains a key issue – it has the potential to result in operational disruption, physical damage, bodily injury and, perhaps more important of all, reputational and brand damage,” states the report.

“Board-level buy-in is essential if organizations are to map the potential operational and financial impacts an event could have to their business,” it adds.

“This will then help move them beyond raising awareness, giving them a better understanding of the business risk posed to their companies and putting them in a good position to place a value on mitigation and/or risk transfer actions,” the report points out.

Despite the enhanced awareness and the rise in boardroom ownership, though, “IT departments remain responsible for the review and management of cyber risk in 55% of organizations,” Marsh points out.

“While IT departments might know how to implement cyber security, they will not be able to identify business-critical elements and, therefore, map the potential operational and financial impacts an event could have,” the report states.

Another finding of concern is that just 26.5% of respondents say they believe their organizations’ supply chains are assessed for cyber risks. That means “the overwhelming majority of companies are leaving themselves exposed to third parties, from service providers to customers,” notes the report.

The 26.5% is up from 22.2% in 2015, but still shows more work needs to be done with the majority of organizations.

Forming a cross-disciplinary team of colleagues to “focus on identification of the risks and the impacts they may have on your business is an important first step you should take,” Marsh recommends in the report.

“However, from discussions with U.K. organizations, we don’t yet see a large proportion making this commitment, so the survey findings are consistent with our experience,” continues the report.

Other findings from the survey include the following:

  • just 20.6% of companies are buying insurance (importantly, 42.6% of respondents believe they have insufficient information to answer just how relevant modern cyber insurance products are to the needs of their organizations);
  • 55.9% of respondent firms are engaged with the cyber insurance market in one way or other;
  • 35.5% of respondents’ organizations have been asked to demonstrate a competent standard of IT security practices by their own bank and/or customers in order to do business with them; and
  • respondents’ greatest concerns continue to be breach of customer information (32.4%) and business interruption (19.1%), issues that can be covered against in a basic cyber policy, while reputational loss came in third at 13.2%, overtaking crime/fraud.