Boards failing to protect customers against cyber attack

BOARDS are failing to protect their companies and customers against cyber attack, despite more companies taking out cyber insurance, according to new research.

Less than a third of boards surveyed in Marsh’s UK Cyber Risk Survey Report 2016 are taking responsibility for cyber risk, though this is a rise from 19% in 2015. Fewer still are assessing the wider risk to their companies and customers via the supply chain.

Just over a quarter of respondents said their company’s supply chains are assessed for cyber risks, up slightly from 22% in 2015, meaning the majority are leaving themselves exposed through third-party suppliers.

Cyber risk is no longer just about data security, an attack has the potential to result in operational disruption, physical damage, bodily injury, and perhaps most important of all, reputational and brand damage.

The recent Cyber Security Breaches Survey 2016 report published by the government found that 65% of large organisations and 51% of medium organisations have suffered a security breach in the past 12 months.

The number of companies saying they have a basic or complete understanding of their company’s cyber exposure has risen to 83% compared to 61% last year, according to the survey.

“The gaps in assessing supplier risk and quantifying the scale of cyber threat suggest that there is still plenty to do,” Mark Weil, CEO, Marsh UK & Ireland, said.

IT departments remain responsible for the review and management of cyber risks in the majority of companies. Although IT departments might know how to implement cyber security, they are not necessarily skilled in identifying business-critical risk or mapping the potential operational and financial impacts on a company.

Marsh’s research showed that 29% of respondents have bought, or are in the process of buying, cyber insurance cover. An additional 26% are seeking quotes for cyber insurance.

The survey found that while more than two-thirds (67.6%) of organisations have planned for sources of funding in the event of a cyber-attack, Marsh said it questioned the adequacy of the methods given that just 35.4% of them have conducted or estimated the financial impact.