Cyber risk mounts as three in five firms hit

Written by Hannah McGrath
23/04/2019

More than three in every five companies (61 per cent) suffered a cyber security incident in the last year, with average losses rising from $229,000 in 2018 to $369,000 in 2019, according to the latest cyber readiness report from Hiscox.

The insurance firm surveyed more than 5,400 private and public organisations in the US, UK, Belgium, France, Germany, Spain and the Netherlands, finding a 45 per cent increase in reported cyber incidents since last year.

Hiscox ranked firms for their levels of cyber readiness and experience of cyberattacks, and found that only 10 per cent ranked highly enough to qualify as cyber security ‘experts’, a marginal decline in the preparedness of organisations, despite the rising threat posed by cyber attacks and data breaches.

For large firms, with between 250 and 999 employees, cyber-related losses now top $700,000 on average, compared with $162,000 a year ago.

While larger firms are still the most likely to suffer a cyber attack, the proportion of small firms - defined as those with less than 50 employees - reporting an incident was up from 33 per cent to 47 per cent. Among medium-sized firms - 50 to 249 employees - the proportion leapt from 36 per cent to 63 per cent.

The average spend on cyber security is now $1.45 million, up 24 per cent on 2018, and the pace of spending is accelerating. The total spend by the 5,400 firms in the survey came to $7.9 billion. Two-thirds of respondents said they were planning to increase their cyber security budgets by five per cent or more in the year ahead.

There was also a wide disparity in cyber readiness between the countries surveyed. Overall, US, German and Belgian firms scored the highest on the cyber readiness model, while more than four-fifths of French firms (81 per cent) are still in the ‘novice’ category. Along with the Netherlands, France has the smallest proportion of large and enterprise firms that rank as ‘experts’, at nine per cent.

The proportion of firms with no defined role for cyber security has halved in the past year - from 32 per cent to 16 per cent - and the survey found a marked fall in the number of respondents saying they changed nothing following a cyber incident - from 47 per cent in 2018 to 32 per cent in 2019.

New regulation has also prompted action, with 84 per cent of continental European firms saying they have made changes following the advent of the General Data Protection Regulation (GDPR). The figure for UK firms was 80 per cent.

As a countermeasure, more than two out of five firms (41 per cent) said they have taken out cyber cover in the past year - up from 33 per cent in 2018. A further 30 per cent plan to take out cover in the year ahead. More than half of larger firms now have cover, but only 27 per cent of small firms.

Gareth Wharton, chief execurive of Hiscox Cyber, said: “For the first time, a significant majority of firms report one or more cyber attacks in the past 12 months. Where hackers formerly focused on larger companies, small and medium-sized firms now look equally vulnerable.”

“The cyber threat has become the unavoidable cost of doing business today,” he said.

However, Wharton added that one positive flagged by the report is an increase in the number of firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber insurance policy.