Cyber threat largest risk facing UK businesses: Marsh

The cyber threat remains one of the most significant – and growing – risks facing businesses in the United Kingdom, Marsh UK said in a report released on Monday.

The report, titled UK Cyber Security – The role of insurance in managing and mitigating the risk, said that 81% of large businesses and 60% of small businesses in the UK suffered a cyber security breach in the last year, with the average cost of breaches to businesses nearly doubling since 2013.

“Cyber attacks have entered mainstream consciousness on the back of a wave of well-reported incidents affecting individuals, firms, and governments, and today most large businesses have cyber on their risk registers and have assigned accountability and actions to improve their cyber security,” the report said. “There is a growing concern with the physical damage impacts of cyber attacks (whether indirectly or directly), given the increasing connectedness of assets to the internet.”

The report said that there is still “a significant degree of discomfort at board level given the newness of the risk and its potential for costly and public disruption. Similarly, the cyber insurance market is still in its infancy, with around half the business leaders we talked to not aware that insurance covers cyber risk, and just 2% of large firms having explicit cyber cover, a figure that drops to close to zero for smaller firms.”

The report involved interviews with senior management in some of the UK’s largest firms, expert input from 13 London market insurers, and the analysis of data emerging from surveys, insurance policies and other sources. [click image below to enlarge]

Many firms place cyber among their leading risks in terms of the likelihood and severity of impact. Consequences that cause the greatest concern include data loss, business interruption and theft of intellectual property, with the impact depending on industry, risk profile and size of a particular firm. For large organizations, intellectual property (IP) theft is seen as the risk that could have the most severe impact. The picture for small and medium-sized enterprises (SMEs) is similar, but for this segment of companies, insurers see a higher incidence of cyber crime.

“SMEs are also considered to be at a greater risk of data/software damage,” the report said. “This reflects the belief that SMEs are more vulnerable to attack and lack the back-up disaster-recovery solutions of larger firms. On the other hand, with the exception of those working on innovative technologies, most SMEs are considered less likely to suffer from losses connected to damaged reputation or IP theft.” [click image below to enlarge]

In fact, half of the firm leaders interviewed did not realize that cyber risks could be insured, with cyber risk surveys from Marsh and Zurich showing that 52% of CEOs believed that they were covered, when, in fact, less than 10% had coverage. “This picture is likely a result of the complexity of insurance policies with respect to cyber, with cyber sometimes included, sometimes excluded, and sometimes covered as part of an add-on policy.”

The cost of cyber insurance relative to the limit purchased is typically three times the cost of cover for more established general liability risks, reflecting the possible exposure that insurers are taking on with cyber. Cyber insurance also has a much lower degree of price differentiation across individual firms, which suggests that pricing also reflects the lack of data needed to underwrite accurately, the report suggested. “This is concerning because it undermines the value of insurance in encouraging risk reduction by firms, since they will not see a corresponding reduction in their insurance costs.”

Globally, the total realistic possible maximum loss for cyber globally is currently around £20 billion. By comparison, that amount is within the reinsurance capacity for single-event risk (£65 billion), but well above that for nuclear (£3 billion). “With cyber set to grow, it suggests an urgent need to address the size of aggregate risk being built up, and how to handle it,” the report suggested.