Cost and Frequency of Cyber Attacks on the Rise, yet Companies are Less Prepared to Combat Attacks, According to Hiscox Cyber Readiness Report
NEW YORK, NY – April 23, 2019 – Hiscox, the international specialist insurer, today released The Hiscox Cyber Readiness Report 2019™, which gauges how prepared businesses are to combat cyber attacks. The annual report surveyed nearly 5,400 professionals from the US, UK, Germany, Belgium, France, Spain and the Netherlands who are responsible for their company’s cybersecurity and found that the cost and frequency of attacks are on the rise. Sixty-one percent of firms experienced a cyber attack in the past year, compared to 45% in 2018. The median cost for losses associated with cyber incidents also soared from $229,000 to $369,000.
To determine the respondents’ preparedness to handle cyber attacks, Hiscox evaluated the firms’ strategy (oversight and resourcing) and execution (technology and process) and ranked them as a ‘cyber novice,’ ‘cyber intermediate’ or ‘cyber expert.’
Key findings specific to the more than 1,000 US companies surveyed include:
- Leaky bucket budgets: Seventy-two percent of firms plan to increase spending on cyber security in the coming year. However, increased spend without proper infrastructure and training is the equivalent of pouring water into a leaky bucket. Only 11% of respondents cited increased spending on employee training and culture changes as a result of a cyber security incident, both of which are crucial components of a company’s defense against cyber risks.
- Attacks are on the rise: Fifty-three percent of respondents reported an attack in the past 12 months, compared to 38% last year. Many companies do not take proper action following an attack, with 45% of companies reporting experiencing three or more attacks in the past year. Cyber incidents come with a large price tag. The mean cost of cyber incidents in the US was $119,000.
- Fewer large companies are ‘cyber experts:’ While it would seem they have the resources to be prepared, only 11% of large and enterprise firms ranked as ‘cyber experts,’ compared to 26% of large and enterprise firms last year.
- Unexpected risks in the supply chain: Fifty-six percent of firms experienced cyber-related issues in their supply chain in the past year. However, only 7% of respondents cited increased evaluation of the supply chain as a result of a cyber security incident occurring in the past 12 months.
- Lack of insurance heightens the stakes: Twenty-seven percent of respondents have no plans to purchase cyber insurance, and 5% are unsure of what cyber insurance is.
“The message that cyber risk is a real threat to businesses of all sizes is sinking in. Companies are increasingly aware of the risks and pouring more resources into cyber protection, and yet, there is still a tremendous gap between awareness of the issue and actually having an effective defense,” said Meghan Hannes, Cyber Product Head for Hiscox in the US. “Many believe that increasing cyber-related spending fully protects a business, but it isn’t enough. Businesses must take a holistic approach, ensuring they can properly maximize their investment with appropriate internal protocols, staffing, and employee training, ultimately creating a human firewall as the first line of defense.”
Creating a Line of Defense: Cybersecurity Best Practices
Based off Hiscox’s proprietary module, companies in the seven countries surveyed had to achieve a minimum score of 4.0/5 in strategy and execution to qualify as a ‘cyber expert.’ The study identified ‘cyber expert’ best practices that ‘cyber novices’ lack, and, based on the global findings, these include:
- Securing executive buy-in: Only 54% of ‘cyber novices’ globally believe cybersecurity is a top priority for their firm’s executive management/board as compared to 85% percent of ‘cyber experts.’
- Creating a well-defined strategy with input from multiple stakeholders and determining a formal and adequate cyber budget: On average, ‘cyber experts’ globally devote 14.7% of their IT budget to cybersecurity, but ‘cyber novices’’ cybersecurity spending accounts for just 8.7% of their overall IT budget.
- Dedicating a cyber head tasked with overseeing the strategy, supported by a team if necessary: Globally, 51% of ‘cyber experts’ have a dedicated leader who oversees cybersecurity, compared to just 39% of ‘cyber novices.’
- Regularly evaluating the supply chain: Only 18% of ‘cyber novices’ strongly feel that they have good visibility into their suppliers’ security arrangements, compared to 34% of ‘cyber experts’ globally.
- Defining a process that spans from when a cyber incident is detected to when it has been mitigated, and making sure employees are ready to learn, respond and make changes to this process if an incident occurs: Eighty-five percent of all ‘cyber experts’ have a clearly defined cybersecurity strategy, compared to just 53% of ‘cyber novices.’
- Conducting proactive testing through simulated attacks and regular phishing experiments: Forty-one percent of ‘cyber novices’ globally have conducted phishing experiments to understand employee behavior and readiness for attacks, compared to 69% of ‘cyber experts.’
- Insuring your business with a cyber policy: Globally, 59% of ‘cyber experts’ currently have already adopted cyber insurance, compared to only 37% of ‘cyber novices.’
Hiscox USA provides a variety of specialty risk solutions including a broad spectrum of professional errors & omissions, general liability, cyber and data security, media liability, management liability, crime, kidnap & ransom, terrorism and commercial property insurance products.
Hiscox offers an online interactive suite of cyber security training modules included as part of its Cyber and data insurance policies that helps customers prepare their employees and reduce the risk of a cyber incident occurring.
In the US, Hiscox has offices in New York, NY; Atlanta, GA; Chicago, IL; Dallas, TX; Los Angeles, CA; Phoenix, AZ; San Francisco, CA and White Plains, NY.
– End –
About the Study
Hiscox commissioned Forrester Consulting to assess organizations’ cyber readiness. In total 5,392 professionals responsible for their organization’s cyber security strategy were contacted (1,000 plus each from the UK, US and Germany, and 500 each from Belgium, France, Spain and the Netherlands). Thirty-nine percent of respondents were from organizations with fewer than 50 employees (small firms), 16% from medium-sized firms employing 50-249 people, 16% from large firms employing 250-999 personnel and the remaining 28% from enterprises with 1,000 or more employees. Respondents completed the online survey between 22 October and 7 December 2018.
About The Hiscox Group
Hiscox is a global specialist insurer, headquartered in Bermuda and listed on the London Stock Exchange (LSE:HSX). Our ambition is to be a respected specialist insurer with a diverse portfolio by product and geography. We believe that building balance between catastrophe-exposed business and less volatile local specialty business gives us opportunities for profitable growth throughout the insurance cycle. It’s a long-standing strategy which in 2018 saw the business deliver a profit before tax of $137.4 million in a challenging year for insurers.
The Hiscox Group employs over 3,300 people in 14 countries, and has customers worldwide. Through the retail businesses in the UK, Europe, Asia and the US, we offer a range of specialist insurance for professionals and business customers as well as homeowners. Internationally traded, bigger ticket business and reinsurance is underwritten through Hiscox London Market and Hiscox Re & ILS. In the US, Hiscox underwrites admitted insurance products through Hiscox Insurance Company Inc., a Chicago-based insurer.
Our values define our business, with a focus on people, quality, courage and excellence in execution. We pride ourselves on being true to our word and our award-winning claims service is testament to that. For more information, visit www.hiscoxgroup.com.
Follow Hiscox USA on Twitter @Hiscox_USA and @HiscoxSmallbiz.
The content provided above is provided for general informational purposes, but is not intended, nor shall it be deemed, to be business, legal or insurance advice for any particular or specific person or entity.
+1 646 442 8341
+1 678 781 6003