Despite mounting concerns about cyber risk and the potential financial and reputational consequences of information security breaches, leading organisations across Europe are failing to integrate cyber threats fully into their risk management strategies. According to new research, risk managers are considerably more concerned about the perceived threat of cyber risks to their organisations than 12 months ago. In a survey conducted at a Marsh's recent annual Communications, Media and Technology (CMT) conference, and published today by Marsh and Chubb Insurance, 69% of the CMT, financial services, insurance and law delegates questioned said that their concern about cyber risk has increased over the previous 12 months.
Although the perceived threat of cyber risk is on the rise, Marsh and Chubb Insurance's research suggests that awareness and understanding of cyber risk among the insurance and risk management community remains low:
Over half (54%) of respondents did not know whether their organisation had been subjected to a cyber attack in the last 12 months;
Only 41% said that their organisation had estimated the financial impact of a cyber attack; yet one-quarter felt that a cyber attack could cost their organisations in excess of $5 million.
Fredrik Motzfeldt, CMT Practice Leader for Europe, the Middle East and Africa (EMEA) at Marsh, commented: "Risk managers are right to be concerned about cyber risk. These threats will become considerably more acute for organisations as a result of our growing dependence on technology and web-based solutions such as cloud computing. "Despite these concerns, risk managers continue to have a minority stake in the management of cyber risk. Our research found that 33% of respondents believed that the IT department was responsible for cyber risk management in their organisations, compared to only 13% who thought it was a matter for the risk management function. Cyber risks pose too great a risk to the continued success of organisations to be misunderstood. Closer alignment to the risk management function is a vital first step to countering this threat and ensuring that a risk based approach to IT investments is adopted."
Only 21% of respondents to the survey stated that their organisation currently purchased cyber insurance cover. Additionally, the research found that only 11% of respondents felt confident that their current cyber insurance provision meets their organisational needs, raising questions about the insurance industry's ability to respond to cyber threats. Richard Lambert, European Technology Insurance Manager, Chubb Insurance, added: "Changing technology and the increased value of data are presenting new risks to business. Cyber risk is just one of many emerging hazards resulting from the increased digitalisation of society, where everything from bank to health records is stored electronically. "The insurance market response to this is to see an opportunity to develop new products and provide risk solutions to business product innovation is key. The fact that only a minority of those surveyed felt that the cyber insurance available in the marketplace today is meeting their needs is a clear call for continued dialogue between the business, legal and insurance communities."
Marsh and Chubb Insurance's survey follows the launch of the Cloud Risk Framework, a five-stage process that enables organisations to evaluate the risks and the potential financial impact of any change in risk profile involved in a shift to 'the cloud'. The Cloud Risk Framework is the result of a year-long collaboration by the Cloud Risk Forum, a Marsh-led group of international legal, insurance, risk, and technology experts.