More work needs to be done by brokers to help companies understand their exposure to an attack

Cyber Crime

Less than a fifth (18%) of companies have a complete understanding of their exposure to cyber risk, a substantial drop compared to last year’s figure of 34%, according to the latest Marsh Cyber Risk Survey.

Marsh said more work needed to be done by insurance brokers and organisations to help improve a company’s understanding of cyber risk and their exposure to an attack.

Board-level ownership of cyber risk also only existed in 19.4% of UK organisations, with IT departments continuing to take primary responsibility for cyber risk in 55% of organisations.

The broker said: “This comes at a time when cyber risk is being evaluated as a board agenda item, suggesting that executive level interrogation has exposed a pre-existing over confidence in the level of knowledge and understanding within certain organisations.

“If this is the case then it is clear those tasked with creating critical management information relating to cyber risk need more help and guidance to get them to a position where the level of management information is adequate.

“More work needs to be done by organisations and their professional advisers, including their insurance brokers to help improve their understanding of cyber risk and their cyber exposures.”

The data for the research, which was launched at the annual Airmic conference today, was collected from risk professionals and chief financial officers from large and medium-sized firms in the UK.

The report also found 48.6% of respondents admitted to having insufficient knowledge in order to assess the insurance available, which may suggest a lack of insight into what can be insured by a cyber insurance policy.

“The figure might also indicate that a lack of understanding of their firm’s own risk profile places many respondents in a position where they are unable to make an informed judgement as to whether the cover is appropriate,” Marsh added.

The study found that 52.8% of respondents’ organisations are engaged with the insurance market over buying cyber insurance, while 47.2% said they had no plans to purchase cyber insurance.

Marsh said this was likely to be because they had an incomplete understanding of the risk.

The study also found that business had also done a lot to improve cyber security in the past 12 months, however, their exposure to third parties presented significant risks to companies’ networks.

According to the report, 69.4% of companies did not assess their suppliers and/or customers for cyber risk.

Marsh EMEA cyber risk practice leader Stephen Wares told Insurance Times: “There have been a number of attacks recently where the hacker has gained access through a third party. It is really about recognising that the perimeter of the hacker is not the same as that of the organisation.”

He added: “There needs to be an improvement in supply chain resilience to cyber attack if organisations are going to reduce the threat arising from this key vulnerability, particularly for large organisations with a profile that attracts highly activated and sophisticated hackers who might identify smaller business partners that are typically less well protected.”