Marsh: UK firms must do more to assess cyber threats

24 June 2015 Consultancy.uk

UK companies need to do more to assess cyber threats, research by Marsh shows. The research shows that two-thirds does not assess their suppliers or customers for risks when trading, putting themselves at risk. According to the firm, “a lot needs to be done”, starting at the boardroom level, only with engaged boards, increased understanding of the risks and value of the risk transfer options can be achieved.

Insurance broking and risk management firm Marsh recently released its ‘UK 2015 Cyber Risk Survey Report’. The research, for which the consulting firm surveyed Risk Managers and Chief Financial Officers from more than 100 large and medium sized firms in the UK, shows that many UK firms are failing to adequately assess their customers and trading partners for cyber risk, hence putting themselves at greater risk of cyber-attacks.

Understanding of exposure to cyber risk

Marsh’s research shows that while UK firms place cyber threats among their leading risks, much need to be done when it comes to understanding the exposure to cyber risk. Less than one in five (18%) respondents has a ‘complete’ understanding, which is down from the 34% from 2014. The majority (52.8%) say they have a ‘basic’ understanding and a quarter a ‘limited’ understanding.

In the past year, 40.3% of organisations have encountered a cyber-attack, up from 31% in 2014. One in five (20.4%) of respondents say they have insufficient knowledge to answer the question. Of the organisations attacked, the majority (61.1%) says they have not made any estimates when it comes to financial impacts of the cyber-attack.

Financial impact of cyber-attacks

More than two-thirds (69.4%) admit not to assess their suppliers and/or customers for cyber risk when they do business, while 8.4% say they have not enough knowledge to answer the question. The lack of assessment also works the other way around, with more than half (51.4%) stating their bank and or customers do not ask them to demonstrate a competent standard of their IT security practices when doing business.

Assessing cyber risks

To protect themselves from the damages of a cyber-attack, more than half (52.8%) of respondents say their organisation is “engaged with the insurance market in one way or another.” However, just one in ten (11.1%) organisations already has bought insurance. Around half (48.6%) highlight their lack of knowledge when it comes to the insurances available and what can be insured by a cyber-insurance policy.

Marsh indicates that this can also suggest a lack of knowledge of the organisation’s own risk profile, which prohibits the leaders to make an informed judgment as to whether the insurance cover is appropriate for their company.

Cyber insurance

The researchers stress that a lot “needs to be done by UK organisations in order to improve their understanding and management of cyber risk.” According to them, the solution to this lies in the boardroom, which currently in less than five (19.4%) of organisations takes primary responsibility for cyber risk.

Stakeholders responsible for the review and management of cyber risks

“If organisations are to reduce the threats arising from cyber-attacks, more work needs to be done to consider cyber security as a business issue, as opposed to a technical problem […] Cyber risk management should be at the heart of the strategic decision-making process. Only with board-level support can companies take the big strides needed to advance their knowledge and perform the financial modelling required, to judge the value of the risk transfer options available on the market,” explains Stephen Wares, Marsh’s Cyber Risk Practice Leader EMEA.