Cyber risk is a real threat to businesses of all shapes and sizes. The frequency and severity of cyberattacks are on the rise, and awareness of the risk is slowly but steadily growing around the world.
Hiscox, the international specialist insurer, recently released the Hiscox Cyber Readiness Report 2019, which gauges how prepared businesses are to combat cyberattacks. The annual report, which surveyed nearly 5,400 professionals from the US, UK, Germany, Belgium, France, Spain and the Netherlands who are responsible for their company’s cybersecurity, found that 61% of firms suffered a cyberattack in the past year, compared to 41% the year prior. The median cost for losses associated with cyber incidents shot up from $229,000 to $369,000.
Of the 1,000 US companies surveyed, 53% of respondents reported an attack in the past year, compared to 38% the year prior. The mean cost of cyber incidents in the US was $119,000, which for most small to middle market companies, “is a very real figure that could have serious operational impact on their businesses,” according to Meghan Hannes, cyber product head for Hiscox in the US.
Read next: Hiscox declares first quarter results
The increased cost and frequency of cyber incidents has not gone unnoticed among US businesses. According to the Hiscox survey, 72% of US firms plan to spend more money on their cybersecurity in the coming year. However, only 11% of respondents said they would pump increasing funding into employee training and cultural changes as a result of a cybersecurity incident.
“We see a strong desire from organizations to do more, which seems to be translating into them spending more money on cybersecurity infrastructure,” said Hannes. “A far smaller percentage of firms – only 11% - are actually planning to train their employees, which strikes me as a pretty significant disconnect. Essentially, they’re buying the Ferrari of cybersecurity, but they’re not training their employees on how to use it.”
Hiscox evaluated all respondents’ strategy (oversight and resourcing) and execution (technology and process) around handling cyberattacks before ranking the firms into three categories: ‘cyber novice’, ‘cyber intermediate’ and ‘cyber expert’. Based on Hiscox’s proprietary module, companies had to achieve a minimum score of 4.0/5 in strategy and execution to qualify as a cyber expert.
In the 2019 report, the number of large and enterprise firms considered ‘cyber experts’ in the US dropped from 26% to 11%. Hannes attributes this dive partly to the lack of investment in employee training. Spending money on security infrastructure is only ever “half the picture,” she stressed. Increased cybersecurity spending without proper employee training is “the equivalent of pouring water into a leaky bucket,” Hannes added.
Another key finding in the Hiscox report revolved around unexpected risks in the supply chain. More than half of US firms (56%) experienced cyber-related issues in their supply chains in the past year. Despite this majority figure, only 7% of respondents said they would increase their evaluation of the supply chain as a result of a cybersecurity incident occurring in the past 12 months. This is the first year Hiscox has incorporated supply chain risk into the Cyber Readiness Report, so there are no year-on-year statistics. What is clear, according to Hannes, is that there’s very little visibility into supply chain risk, and if there is visibility, awareness of tools on how to mitigate, measure and respond to supply chain incidences remain challenged.
“Cyber risk in the supply chain needs to be taken more seriously,” Hannes told Insurance Business. “Companies need to audit third-party vendors to see what their cyber readiness posture is, check what their contracts look like, and to determine how everyone will respond in the event of a breach. There’s often a lot of uncertainty as to who is responsible for what when a cyber incident happens. Skipping that step alone in the preparation process can have a very detrimental impact on both parties.”
In the news: The high costs of embezzlement
Insurance is another vital aspect of cyber risk readiness, and there has been some encouraging growth in the marketplace across businesses of all sizes. However, of the 1,000 US businesses surveyed by Hiscox, 27% said they have no plans to purchase cyber insurance, and 5% said they were unsure of what cyber insurance is. This suggests there’s still a lot more work to be done by the insurance community.
“We reference the leaky budget syndrome in our report, which is where companies keep spending money on cybersecurity, but the risk doesn’t materialize and their readiness doesn’t necessarily improve,” Hannes commented. “The problem is, companies don’t always see an immediate return on investment, which means it can be hard to spend the money.
“Cyber risks tend to stay dormant for a long time before they rear their ugly heads. Business leaders sometimes make false assumptions that everything’s OK because they haven’t had an obvious breach, but that’s not a fair assumption because of the dormancy of some of these major attacks. Like an iceberg, malware can live under the surface for months before it surfaces and then it can cause a lot more damage than its initial appearance might suggest.”
The Hiscox Cyber Readiness Report 2019 is available to download here.