Just 11% of large and mid-sized UK organizations currently have cyber insurance, and the vast majority simply don’t understand the true nature of cyber risk because they haven’t assessed third party suppliers, according to a new study from Marsh.
The insurance broker interviewed CFOs from over 100 firms to compile its annual Cyber Risk Survey Report, but found disappointingly that the number of respondents who felt they had “complete understanding” of their risk exposure dropped from 34% last year to just 18%.
Despite cybersecurity risk being ranked as a number one threat by the government’s National Security Strategy, just 16.6% placed it as a top five risk on their ‘risk register’ while the rest put it outside the top 10.
Adding to the problem is that nearly 70% don’t assess suppliers or trading partners for cybersecurity risk, while over half (51.4%) claimed that they’ve not been asked to demonstrate a ‘competent standard’ of IT security best practice to either their bank or customers in order to do business with them.
IT departments continue to take responsibility for cybersecurity risk (55.5%), while the board remains reluctant to get involved in all but 19% of organizations surveyed.
“If organizations are to reduce the threats arising from cyber-attacks, more work needs to be done to consider cybersecurity as a business issue, as opposed to a technical problem,” said Marsh EMEA cyber risk practice leader, Stephen Wares, in a statement.
“This is especially true for larger organizations, which attract highly motivated and sophisticated hackers that might identify smaller business partners that are typically less well protected as the ‘back-door’ into their IT systems.”
Although only a small percentage of organizations studied said they currently had insurance, more than half (52.8%) claimed that they are looking to invest in a policy going forward.
The UK government did its bit to raise awareness about cybersecurity insurance in a major March report co-authored by Marsh, arguing that the promise of lower premiums could encourage firms to invest in improved defenses.
It added that insurers themselves could help firms by sharing threat intelligence in the form of “insight from claims and near misses across their client base.”