Big business takes the cyber hit
Despite many theories that smaller to medium sized firms are increasingly the preferred target for cyber hackers looking to penetrate the soft underbelly of a less well IT resourced and defended organisation, this year’s Hiscox Cyber Readiness Report 2018 reveals that big businesses are still firmly in the hackers’ crosshairs.
While our survey of over 4,000 organisations of all sizes in the US, UK, Spain, Netherlands and Germany shows just under a half (45%) of all organisations experienced at least one cyber attack over the last twelve months, the corresponding figure for the largest US firms of over 1,000 employees was 67%.
The cost of the cyber wars
How does this hit rate translate into cold hard cash for the big businesses affected by a cyber incident? We asked our survey respondents to tell us the estimated cost of all their cyber incidents over a twelve month period. For the largest firms, the US topped the list at an average cost of just over US$1m. Of course, these are average costs with some large US organisations facing annual costs of up to US$25m – the highest amongst the five nations we surveyed.
We found that nearly three quarters (73%) of all the businesses we talked to can be classed as cyber novices, with only 11% attaining cyber expert status.
Some of last year’s cyber incidents far exceeded these costs. Take the NotPetya ransomware attack for example on FedEx which stemmed from the infiltration of suspected infected tax software in its Ukrainian office and has cost the courier firm an estimated US$300m.
IT security spend is up
Trying to prevent an incident in the first place is also costing businesses a great deal of money. For our survey this year we looked at IT security expenditure and again, it’s noticeable how the very largest businesses are spending the highest proportion of their IT budgets on IT security. Across the survey, there was an average of 10.5% spent from a typical budget of US$11.2m. The largest firms however are spending just over 12% of their IT budgets on mitigating the cyber threat. It looks like most of the largest firms are going to increase their spending too with 68% of our US based 1,000+ employee firms looking to spend upwards of 5% more on cyber security in the next 12 months.
Seven out of ten fail cyber test
A key part of our survey is an assessment of just how ready businesses are to deal with the cyber threat. Measuring businesses’ performance across their cyber strategy (oversight and resourcing) and cyber execution (technology and process), we found that nearly three quarters (73%) of all the businesses we talked to can be classed as cyber novices, with only 11% attaining cyber expert status. It’s not surprising however that larger organisations are more likely to be classed as experts with multi-national organisations making up a third of the expert category.
The largest firms are spending just over 12% of their IT budgets on mitigating the cyber threat.
Insurance demand is up
One of the most striking characteristics of a cyber expert is their take-up of standalone cyber insurance with three out of five cyber experts across the survey saying they have taken out cover. For the largest US businesses, 88% say they already have cover or are planning to buy cyber insurance in the next 12 months. While I think these take-up figures do look a little on the high side, there is no doubt that increased regulation – noticeably the introduction of GDPR in Europe with its stiffer financial and regulatory penalties – is really driving insurance purchase particularly with businesses keen to get access to the additional expertise in areas such as employee training and risk assessments.
As this survey illustrates, clients are demanding more from their insurance and it’s important that, as an industry, we stand up to the test and give them the products and services they need to stay safe from the ever evolving cyber threat.
Find out more Hiscox Cyber Readiness Report 2018. The survey was conducted on behalf of Hiscox by Forrester Consulting between 12 October and 10 November 2017.
For more about Hiscox London Market’s cyber insurance cover.