The latest UK Cyber Risk report from Marsh shows that cyber risk is becoming top of mind for financial professionals. But being aware and doing something about it may be two different things — and many firms are overlooking supply chain vulnerabilities.
Slowly but surely, cyber risk is gaining increased attention in the United Kingdom.
In its UK Cyber Risk Survey Report for 2016, Marsh found that, in response to queries over attitudes towards cyber insurance, awareness among U.K.-based risk and financial professionals is up, but true understanding of risks and possible costs tied to cyberattacks lags significantly.
It’s no surprise that, as cyberattacks have been on the rise — in frequency and with an attendant cost that extends across money, time and reputation — U.K. firms have been gaining some insight into exposure. As Marsh noted, roughly 84 percent of respondents have shown they have a basic or “complete understanding” of their own organization’s exposure to attacks, up from nearly 61 percent in 2015.
But another statistic may be viewed as troubling: Only a quarter of those respondents think they (or their firms) have a “complete” understanding of their exposure and risk. That would suggest, said Marsh, that there is “still a lot of work to do to improve understanding and management.” In fact, about 35 percent of those surveyed said they do not have an idea, quantitatively, as to just how much a successful attack might cost their firm. Even as 40 percent of firms said they had experienced a cyberattack in the past 12 months, stats from the U.K. government tell a more harrowing tale, with 65 percent of large organizations and 51 percent of mid-sized firms seeing breaches. That speaks to at least some disconnect between perception and reality.
Could complacency be a risk in itself? It should be noted that the actual work of finding out the impact to a given firm, in terms of financials, has actually slipped, to 35.4 percent this year, compared to almost 40 percent last year. And when it comes to supply chain risk — a hallmark of B2B-specific pitfalls — only a quarter of firms actively gauge the cyber-based dangers tied to third-party business relationships.
Despite that lack of “hard calculation” as to what may transpire in the event of a data breach, a growing number of companies have been placing cyber risk among the top tier of their concerns, with more than 71 percent placing that concern among the “top 10” of risk concerns, up from 46 percent last year.
With that awareness in place, 29 percent of these risk professionals said they have bought, or will be buying, cyber insurance, with another 26 percent actively seeking quotes tied to such insurance. That leaves some speculation as to what lines of financial defense may be in place. Similarly, only 34 percent of firms have been asked to show proof of strong practices in the area of cyber risk, said Marsh.
As for who is ultimately responsible for keeping an eye on cyber risk itself: Marsh found that, increasingly, board-level decisions are embracing such risk, but even so, as much as 55 percent of organizations have such risk control centered in IT departments. There may be an inherent weakness here, said the study: “While IT departments might know how to implement cybersecurity, they will not be able to identify business-critical elements and, therefore, map the potential operational and financial impacts an event could have.”