UK and Ireland 2014 Cyber Risk Survey Report
Using its knowledge and information about the cyber risk in the UK and Ireland, Marsh has undertaken an in-depth study into organisations’ attitudes towards the threat, the processes they have in place, and their understanding and use of cyber insurance as a means of risk transfer.
The benchmarking data in this report was collected from risk professionals and CFOs from large- and medium-sized corporations from across the UK and Ireland.
Awareness of Cyber Security is Growing
There was little surprise to see that cyber risk had surged up the list of top concerns in this year’s World Economic Forum’s Global Risks 2014 report, as a greater awareness of the threat and its potential repercussions slowly filters into boardrooms across the world. This awareness has also stirred shareholders and customers, who now possess a heightened expectation that organisations will have undertaken a thorough evaluation of cyber risks that may impact the business. It is therefore not surprising that more than one third (34%) of responses to our survey reflect this position.
The cyber threat has become truly pervasive to modern business and indeed life in general; persistent warnings by domestic and foreign governments, regulators, and insurers, alongside the numerous high-profile cyber attacks covered in the media, have made the risk almost impossible to ignore. This would appear to be supported by the survey’s findings that just 1% of respondents believe their organisations have “no understanding” of their own cyber exposures. Nevertheless, obtaining a complete understanding of an organisation’s cyber vulnerabilities requires not only having detailed knowledge on the risk itself, but also undertaking a complex and thorough review of internal systems and processes to assess and identify potential exposures. With two-thirds of respondents suggesting that the risk is at least to some extent under-investigated by their employer, there is still the possibility that an unexpected cyber incident could blindside these organisations.
Increased awareness has resulted in cyber risk featuring prominently on organisations’ corporate risk registers. In total, 82% of survey respondents revealed that the risk features on their corporate risk registers at some point or other; cyber risk is listed in the top ten risks on the corporate risk register of 56% of companies, while 24% place it within the top five.
Today, it is difficult to bring to mind a type of business that does not depend upon IT to run critical business functions, and so, while the majority of respondents reported that the risk features on their risk register, it is worth noting that cyber risk is absent for nearly one-fifth of organisations. We expect that the increasing awareness and ownership of this risk issue at board level will move cyber up the ranking in a relatively short space of time.
High levels of awareness and understanding of cyber risk, however, do not appear to have translated into concerted action taken on the part of the board to manage cyber risk from the top.
For those organisations that cited the board as the primary risk owner, there would appear to be recognition within these businesses of the potentially catastrophic impacts of cyber risk that has moved the issue up from an operational level. However, cyber is managed and reviewed at board level in just 20% of respondents’ organisations, despite the fact that it is listed as a top-five risk in 24% of companies’ risk registers. It is difficult to imagine a board deciding not to engage in a strategic oversight of another top-five risk and instead leaving the responsibility for its management to an individual party or department, or, as is the case in 5% of respondents’ organisations, outsourcing it to a third party.
The level of involvement from the risk management function is also low, and while it is understandable that IT departments should take a primary role in the practical control of cyber risk, its overall management, and risk financing decisions in particular, should reside elsewhere. However, 57% of respondents indicated that their organisations leave the assessment and management of cyber risk to their IT departments; a concerning number at a time when so many components of a business’s day-to-day operations are technologically dependent and business strategy and plans are more intertwined than ever with the course of technological innovation.
View or download the full report.
Please log in or register above to view the full report.