The Hiscox Cyber Readiness Report 2019

Rising to the cyber challenge

Our third Hiscox Cyber Readiness Report provides you with an up-to-the-minute picture of the cyber readiness of organisations, as well as a blueprint for best practice in the fight to counter the ever-evolving cyber threat.

Barely a week goes by without news of a major cyber incident being reported, and the stakes have never been higher. Data theft has become commonplace; the scale of ransom demands has risen steadily; and cumulatively the environment in which businesses must operate is increasingly hostile. The cyber threat has become the unavoidable cost of doing business today.

This is our third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms surveyed said they experienced one or more cyber attacks in the last 12 months. Both the cost and frequency of attacks have increased markedly compared with a year ago, and where hackers formerly focused mainly on larger companies, small-and-medium -sized firms are now equally vulnerable.

Regulation is going some way to improving awareness and mandating a baseline of cyber security rigour. In 2018, we saw the introduction of the EU’s General Data Protection Regulation (GDPR), to which businesses have adapted, and a by-product of this has been an uptick in demand for cyber insurance. In the pages that follow, we see that more firms are taking a structured approach to the problem, with a defined role for managing cyber strategy, and we can also see more appetite to transfer some or all of the risk to an insurer by way of a standalone cyber insurance policy.

The old adage ‘prevention is better than cure’ springs to mind, and being aware of these threats is half the battle. From our experience as a cyber insurer, business email accounts being compromised is currently the main cause of cyber claims, followed by ransomware.

We launched our online training platform, the CyberClear Academy, a year ago in a bid to better equip our customers against these perils and already more than 2,500 companies have benefited from it. We don’t rest on our laurels though, and will continue to develop other preventative measures that protect our customers and what matters to them.

The cyber risk may mutate rapidly, but progress in mitigating and managing it is also evolving. I hope this report will go some way to helping promote a better understanding of the issues and encourage the adoption of rigorous and effective measures to minimise the cyber threat.

Gareth Wharton

Cyber CEO

Hiscox Cyber Readiness Report 2019

Download the report

Hiscox Cyber Readiness Report 2018

Download the report

Executive summary

Cyber readiness levels stall as attacks reach a new intensity in terms of both frequency and cost.

Key findings

Reasons for optimism despite stalling readiness scores.

Our quantitative model of cyber readiness shows a small decline this year in the proportion of firms achieving ‘expert’ scores for their cyber strategy and execution – down from 11% to 10%.
The first-time inclusion of French firms has reduced overall scores. There has also been a drop in the number of large (with 250 to 999 employees) and enterprise firms (1,000 plus) in the USA and Germany that achieve top scores.
More than three out of five firms (61%) reported an attack in the last year – up from 45% the previous year. The frequency of attacks has also increased. Among the seven countries, Belgian firms are the most likely to have been attacked, US firms the least likely.
The mean figure for losses associated with all cyber incidents among firms reporting attacks has risen from $229,000 last year to $369,000 – an increase of 61%, with medium and large firms bearing a disproportionate amount of the cost.
Nearly two-thirds of firms (65%) have experienced cyber-related issues in their supply chain in the past year. Three quarters of technology, media and telecoms (TMT) and transport firms have been hit.
While larger firms are still the most likely to suffer a cyber attack, the proportion of small firms (less than 50 employees) reporting one or more incidents is up from 33% to 47%. For medium sized firms with between 50 and 249 employees the proportion has leapt from 36% to 63%.
The figures above are strongly influenced by a sharp rise in the cost of the biggest single incident reported. The mean cost has jumped from $34,000 a year ago to a fraction under $200,000. For large firms, there has been an 18-fold rise to $395,000. The comparable figure for small firms is $9,000, up from $3,000 in 2018.
Mean cost for all incidents experienced in Germany during the year was over $1 million for medium and large firms rising to over $1.5 million for enterprisescale businesses.
The average spend on cyber is now $1.45 million and the pace of spending is accelerating. The total spent by the 5,400 firms in our report comes to a remarkable $7.9 billion. Two-thirds of respondents say they plan to increase their spending on cyber by 5% or more in the year ahead.

The incidence of cyber-attack is high

More than half of firms (57%) have experienced an attack in the past year and two in five (42%) have had to deal with two or more. Larger companies, particularly those in the US, are targeted most often. The average cost of the largest cyber security incident experienced ranges from EUR€22,000 for very small German companies to US$102,000 for very large US companies - somewhat lower than the headline figures often seen.
It takes time to get back to 'business as usual'.

Although three out of five businesses (62%) took less than 24 hours to uncover their biggest cyber incident in the past 12 months, and a quarter (26%) did so within an hour of its occurrence, nearly half (46%) of businesses took two days or more to get back to business as usual.
Cyber security spending is on the increase.

The majority of cyber security budgets (59%) are set to increase over the coming 12 months by at least 5% and one in five firms (21%) will lift spending by a double-digit amount. Nearly half (47%) of firms plan to increase spending on staffing by 5% or more.
Attacks prompt more technology spend.

Around a quarter of firms that experienced a cyber-attack in the past year responded by increasing their spending on prevention technologies (24%) or detection technologies (23%), even though most firms already appear to be well invested in both areas.
Smaller firms hit hardest.

While big firms incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for the very smallest companies. Small businesses also appear more complacent than their larger counterparts however, with 29% saying they changed nothing following a cyber security incident compared to larger firms (20%).

In terms of adopting key cyber security initiatives, the gap between larger companies and smaller businesses is greater still. For example, while 62% of larger companies say that practising their crisis communications response is a critical or high priority, only 47% of smaller firms say the same.
More than half of firms rank as cyber 'novices' in the cyber readiness test.

Analysing four dimensions of cyber readiness, we created a Cyber Readiness Model, grading firms as either 'cyber experts', 'cyber opportunists' or 'cyber novices'. The experts accounted for just 30% of the survey group while novices made up more than half (53%), suggesting the majority of companies have some way to go before they can claim to be cyber ready.
Six steps for moving from 'novice' to 'expert'.

Our analysis of the gaps between the experts and the novices highlights six areas where the novices can focus their efforts and make up ground. Most are strategy and process-related and do not involve a major financial outlay. The involvement of top management, more employee training, and systematic tracking and documentation are prominent among them. For most companies, throwing more money at the problem is not the answer.
Momentum builds behind cyber insurance?

The take-up of cyber insurance appears to be set to accelerate sharply in the coming year. Nearly half (46%) of those firms that have yet to insure against cyber risks say they are planning to do so in the next 12 months.

Most heavily attacked (71% reported a cyber incident) and most likely to report a supply chain related issue.

Topped the list for frequency of attacks: more than a third of those targeted were attacked four times or more.

16% of the country’s large and enterprise scale firms rank as ‘experts’ on our cyber readiness model – putting them at the top of the table.

81% of French firms received the lowest ranking in our cyber readiness model – just 6% qualify as ‘experts’.

Spent more on cyber security (mean cost of $2.1 million) and suffered the lowest number of cyber incidents.

Least likely to have cyber cover – along with German firms.

Fewer large and enterprise firms qualify as ‘experts’ in our cyber readiness model – down from 20% to 14%.

Hit hardest in the past 12 months with a mean cost for all incidents of over $900,000 – more than twice the average mean cost for all seven countries.

A German firm reported a cost for all incidents of $48 million, the highest figure among the study group.

Best improvers in our 2019 cyber readiness model – proportion with the lowest ranking down from 82% to 76%.

19% of firms reported a distributed-denial-of-service (DDoS) attack compared with an average of 15% across the study group.

Worst hit by cloud outages with 27% of targeted firms reporting a problem.

Firms responded vigorously to an incident with 18% increasing their spending on detection technologies and 22% increasing spending on prevention technologies.

22% increasing spending on prevention technologies. D D Most rigorous approach to evaluating their supply chain risks and yet 72% reported an attack in this area.

Most likely to have a standalone cyber insurance policy: 49% compared with 41% across the study group.

The lowest cyber security budgets with less than $900,000 on average compared with an average across the study group of $1.46 million.

Mean cost of all incidents for UK firms was below average for the survey: $243,000 compared with $369,000.

Most likely to say they could clearly measure the business impact of cyber incidents.

Lowest mean cost of incidents – $119,000 compared with $369,000 across the study group.

Number of large and enterprise firms qualifying as ‘experts’ on our cyber readiness model has more than halved – down from 26% to 11%.

72% of US firms plan to increase their security spending – the highest proportion amongst the seven countries.

Cyber Insurance

We work with a range of organisations to better understand the rewards, challenges and day-to-day responsibilities of running your own business. Get a quote for your cyber insurance and buy online today.
More on Cyber Insurance

The Hiscox Cyber Readiness Report 2019

The Hiscox Cyber Readiness Report 2019

Our third Hiscox Cyber Readiness Report provides you with an up-to-the-minute picture of the cyber readiness of organisations, as well as a blueprint for best practice in the fight to counter the ever-evolving cyber threat.

Executive summary

Key findings

The incidence of cyber-attack is high

It takes time to get back to 'business as usual'.

Cyber security spending is on the increase.

Attacks prompt more technology spend.

Smaller firms hit hardest.

More than half of firms rank as cyber 'novices' in the cyber readiness test.

Six steps for moving from 'novice' to 'expert'.

Momentum builds behind cyber insurance?

Cyber Insurance