Photo: Blazej Lyjak /
17 June 2014News

Board ownership lags behind understanding of cyber risks

Board-level ownership of cyber risk remains comparatively low despite growing levels of awareness and understanding of the issue among large and medium-sized firms across the UK.

A new Marsh report says that companies tend to rely on their IT departments for the strategic direction of their cyber risk strategies.

According to the Marsh Risk Management Research, UK & Ireland 2014 Cyber Risk Survey Report, cyber risk now features prominently on the corporate risk registers of organisations across the UK and Ireland, with one quarter (24 percent) of respondents placing it in the top five risks they face and over half (56 percent) placing it in their top ten.

However, the research found that cyber risk is managed and reviewed at board level in just 20 percent of respondents’ organisations with 57 percent of respondents stating that the overall responsibility for the assessment and management of cyber risk lies with their IT departments.

While the majority of firms have or are seeking to buy cyber insurance in the next 12 months, only 14 percent currently have policies in place.

Stephen Wares, Cyber Risk practice leader for EMEA, Marsh, comments: “For those organisations that cited the board as the primary risk owner, there is recognition within these businesses of the potentially catastrophic impact that cyber risk may have on their revenues and reputations.”

Wares continues, “Increased board-level ownership will accelerate efforts to understand how cyber risk affects organisational risk profiles, and will foster the adoption of more sophisticated risk mitigation measures. It will also improve the ability of companies to secure correctly targeted insurance protection at attractive premiums, should they decide to transfer some of the risk to the insurance market.”

Although only 32 percent of respondents stated that their organisation has assessed the estimated financial impact of a cyber attack, more than half of those surveyed plan to buy or seek quotations for cyber insurance within the next 12 months.

Wares concludes: “Marsh’s data suggests a significant rush to market in the next 12 months, representing a considerable increase in active engagement with this class of insurance. Nearly twenty years after the first cyber policies were offered, cyber insurance has finally come of age and is now recognised by prospective buyers as delivering valued protection.”