The third Lloyd's Risk Index has been published and it was very interesting to not ethe rise in the Risktable of Cyber Risk.
Cyber risk has moved from position 12 (malicious) and 19 (non-malicious) in 2011 to the world’s number three risk overall. It appears that businesses across the world have encountered a partial reality check about the degree of cyber risk. Their sense of preparedness to deal with the level of risk, however, still appears remarkably complacent.
The number of incidents attributed to state-sponsored hacking and revenge attacks by ‘hacktivist’ networks is growing. So, too, are the costs of cyber breaches. A 2012 study by the Ponemon Institute3 found that the average annualised cost for 56 benchmarked organisations was US$8.9 million a year, up from US$8.4 million in 2011, with a range from US$1.4 million to a staggering US$46 million per year, per company. The most costly cybercrimes involved malicious code, denial of service and web-based attacks.
Against all the evidence of the past two years, businesses believe they are slightly more able to deal with the risk, with an overall preparedness score of 5.9, against the priority given to the risk itself at 5.7. In 2011, the US was the only world region where the cyber threat made it into the top five; by 2013, this is now the region’s number two risk. And yet US businesses still score their preparedness (at 5.4) at a higher rate than the risk itself (at 5.1).
As in 2011, we must ask again if, despite their escalating spend on cyber security, businesses are actually spending money on the right things? Cyber insurance specialists are offering increasingly integrated cyber products, including those that provide cover for data breach costs, forensic analysis and crisis public relations services in one package.
While these products are highly effective in an emergency, spending money upfront on risk management – and ensuring recommendations are implemented throughout a company – might go a long way to preventing a cyber disaster before it starts.
