Cyber risk no longer an emerging risk but here to stay, risk managers believe

Cybercrime needs to rise yet further up the risk management agenda if businesses are to cope with the threat, according to cyber specialists across the world.

Risk managers surveyed by Commercial Risk Africa recently agree with the findings of two major surveys released in the past month where cyber has been put at the top of the agenda.

According to the 2015 International Business Resiliency Survey, conducted by brokers Marsh and the Disaster Recovery Institute International (DRII), firms consider cyber and IT-related risks to be the most likely to occur and have the greatest potential impact on their operations.

Marsh, in collaboration with DRII, surveyed nearly 200 C-suite executives, risk professionals and business continuity managers from large and medium-sized corporations internationally about their organisations’ attitudes toward business risks and the risk mitigation processes they have in place. The survey results indicate that organisations are better positioned to address traditional rather than non-traditional risks and that risk managers and CEOs have different perceptions about the severity and control measures in place for various risks facing their organisations.

From 10 suggested risk scenarios, the top risks in terms of impact and likelihood are: reputational damage from a sensitive data breach (impact 79 percent, likelihood 79 percent); failure in a main IT data centre (59 percent, 77 percent); and online services being unavailable due to a cyber attack (58 percent, 77 percent). The risks with the lowest potential impact originate from a product recall event (15 percent, 21 percent).

According to the survey, CEOs overestimate their levels of protection for the most likely and high-impact risks: 28 percent stated they have dedicated insurance coverage against cyber- attacks and 21 percent stated they have dedicated insurance protection for reputation damage after a data breach. However, only 6 percent of risk managers stated that they have dedicated coverage for these risks.

“Product innovations in specialty insurance such as cyber make this a good time for organizations to revisit their coverage to make sure that it is properly nuanced to meet the unique needs of their industry and the corporation’s business goals,” said David Batchelor, President of Marsh’s International Division. “Additionally, having a well thought out crisis management plan is a critical element in protecting an organisation’s reputation.”

Three out of four respondents considered the failure of IT systems as one of two areas that could have the greatest impact on their organisation’s reputation, along with the lack of crisis management planning. Both CEOs and risk managers identified IT system failure prevention (29%) as the most important area to invest in, with CEOs also highlighting intellectual property protection (25%). However, CEOs placed far less importance on the resiliency of IT systems (60%) in relation to reputation management.

In terms of preparedness, the majority of organisations believe they are better positioned to deal with traditional rather than non-traditional risks: respondents rated the level of resilience of their organisations to be high for natural catastrophes and IT system failure (40% and 44% respectively), and low for political violence and an activist group attack on social media (both 32%).

Cyber is no longer considered an emerging risk, but its rapidly changing nature still confounds many, according to a survey from brokers Aon. A few years ago, it was criminals aiming predominantly at financial gain by stealing personal and company data. Now, extremist groups use cybercrime techniques to damage companies’ and governments’ reputations by stealing and publishing confidential information. As motivation for cyber attacks has evolved, so has their effect, creating additional layers of new, interconnected risks.

The recently released Aon-sponsored 2015 Global Cyber Impact Report, conducted by the Ponemon Institute, found cyber is one of the fastest growing risks for companies across the globe, as mobile technologies advance, and cloud computing, corporate bring-your-own-device policies, big data analytics and the ‘internet of things’ are becoming increasingly widespread. About 37% of surveyed companies have experienced a “material or significantly disruptive security exploit or data breach” one or more times during the past two years, and the average economic impact of the event was $2.1m.

Given the proliferation of internet-connected devices, which is expected to grow from 10 to 50 billion units, cyber risk is expected to skyrocket during the next five years. Since cyber risk is fast-moving, impossible to predict and difficult to understand, the damage can be immense. Cyber attacks often cause system failure and business interruptions that take extended time to recover from, and catastrophic attacks which frequently lead to director & officer’s liability allegations. Unfortunately, organisations buy insurance to cover just over half of the maximum probable loss of property, plant and equipment, and only 12% of the probable maximum loss of information assets.