Cyber security is now considered to be an executive responsibility, with 54% of CEOs in European companies taking responsibility for it, according to new research from Lloyd’s, the specialist insurance and reinsurance market. However, many businesses still underestimate the potential impact of a cyber event, with only 13% of European companies believing that they will lose trade in the event of a cyber attack.
The Lloyd’s ‘Facing the Cyber Risk Challenge’ survey, which examined the attitudes of European business leaders towards cyber risk, also revealed that whilst 92% of businesses had experienced some form of cyber breach in the last five years, only 42% are worried that another incident will happen in the future.
Lloyd’s Chief Executive, Inga Beale, believes the results should serve as a warning that firms may still be too complacent as regards how they are prepared for a cyber risk incident and what the implications of one could be for their business.
Inga Beale said:
“It is reassuring that responsibility for cyber risk is sitting at the most senior level of businesses, but it is clear that too many firms do not believe that the dangers of a breach will severely impact them. I’m afraid we no longer live in a world where you can prevent breaches taking place, instead it is about how you manage them and what measures you have in place to protect your business and importantly, your customers. As recent events have shown, hard-earned reputations can be lost in a flash if you do not have the correct plans in place.”
Inga Beale said that insurance can provide a critical role in helping businesses in this environment, not just in terms of cover for any financial losses, but for the support regarding meeting regulatory obligations and dealing with potential operational and reputational fall-outs.
“New Europe-wide regulations will mean that businesses have to be more responsive to any cyber incident than may have been the case in the past. Insurance companies provide more than just cover for any lost income, they offer a wrap-around service that can keep businesses on the right side of regulation and help protect their customers and their reputation.”
With the incoming General Data Protection Regulation (GDPR), organisations handling EU citizens’ data will be required to report breaches within 72 hours and will face potential fines of up to €20million for failing to secure data. Despite the implications, 57% of business leaders also worryingly admit not fully understanding the potential implications of the GDPR on their company.
“Most British business leaders – who are now driving decisions on cyber protection – have a very limited knowledge of cyber insurance. This is worrying, but understandable, when elements of cyber coverage can be included within many different forms of policy – property, casualty, as well as standalone cyber ones.
“The threat landscape is evolving at a rapid rate – and as technologies advance, policies advance. As a result, too many businesses are not clear what cover they have, leaving them potentially exposed to far more risk than they realise. Having incomplete coverage can have a huge impact on a company’s bottom line; and most businesses don’t realise until it’s too late,” said Keith Stern, Regional Manager, UK & Ireland, Lloyd’s.
The key points highlighted by the survey were:
- 92% of business suffered a cyber security breach in the last five years
- However only 42% are concerned another breach will happen in the future
- Although 97% of respondents have heard of the GDPR, only 7% report knowing “a great deal” about it. 57% said they know “little” or “nothing”.
- Awareness of the implications the GDPR could have upon a business: regulatory investigation (64%), financial penalties (58%), impact on share price (57%) and reputation (52%). Only 13% of businesses believe they could lose customers in the event of a breach
- Top internal threats identified as being able to result in a data breach: physical loss of paper or non-electronic devices (42%), an insider intentionally breaching information (42%), human error or unintended disclosure (41%), lost, stolen or discarded equipment (41%)
- Top external threats identified as being able to result in a data breach: hacking for financial gain (51%), hacking for political motivations (46%), hacking by competitor (41%), phishing (39%), ransomware (37%), malware (32%)
The key points of interest for British businesses were:
- 97% of British businesses have experienced a breach in the past five years
- Only 53% of British businesses are concerned their company will suffer a data breach in the future
- 55% of British CEOs drive the decision about protection against, and planning for, a data security breach
- Only 16% of British businesses believe they could lose their customers as a result of a breach
- 55% of British businesses admit not having much understanding of the upcoming EU regulation
- 55% of British businesses are unaware that there are cyber insurance products providing cover and services to companies that suffer a data breach
- The three biggest threats British businesses believe could result in a data breach are hacking for financial gain (51%), physical loss of paper or non-electronic devices (47%) and hacking for political motivations (46%)