The Hiscox Cyber Readiness Report 2019

The Hiscox Cyber Readiness Report 2019

Rising to the cyber challenge

Our third Hiscox Cyber Readiness Report provides you with an up-to-the-minute picture of the cyber readiness of organisations, as well as a blueprint for best practice in the fight to counter the ever-evolving cyber threat.

Barely a week goes by without news of a major cyber incident being reported, and the stakes have never been higher. Data theft has become commonplace; the scale of ransom demands has risen steadily; and cumulatively the environment in which businesses must operate is increasingly hostile. The cyber threat has become the unavoidable cost of doing business today.

This is our third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms surveyed said they experienced one or more cyber attacks in the last 12 months. Both the cost and frequency of attacks have increased markedly compared with a year ago, and where hackers formerly focused mainly on larger companies, small-and-medium -sized firms are now equally vulnerable.

Regulation is going some way to improving awareness and mandating a baseline of cyber security rigour. In 2018, we saw the introduction of the EU’s General Data Protection Regulation (GDPR), to which businesses have adapted, and a by-product of this has been an uptick in demand for cyber insurance. In the pages that follow, we see that more firms are taking a structured approach to the problem, with a defined role for managing cyber strategy, and we can also see more appetite to transfer some or all of the risk to an insurer by way of a standalone cyber insurance policy.

The old adage ‘prevention is better than cure’ springs to mind, and being aware of these threats is half the battle. From our experience as a cyber insurer, business email accounts being compromised is currently the main cause of cyber claims, followed by ransomware.

We launched our online training platform, the CyberClear Academy, a year ago in a bid to better equip our customers against these perils and already more than 2,500 companies have benefited from it. We don’t rest on our laurels though, and will continue to develop other preventative measures that protect our customers and what matters to them.

The cyber risk may mutate rapidly, but progress in mitigating and managing it is also evolving. I hope this report will go some way to helping promote a better understanding of the issues and encourage the adoption of rigorous and effective measures to minimise the cyber threat.

Gareth Wharton

Cyber CEO

report cyberDownload the report
report cyberDownload the report

Executive summary

Cyber readiness levels stall as attacks reach a new intensity in terms of both frequency and cost.

Key findings

Reasons for optimism despite stalling readiness scores.

  • Our quantitative model of cyber readiness shows a small decline this year in the proportion of firms achieving ‘expert’ scores for their cyber strategy and execution – down from 11% to 10%.

  • The first-time inclusion of French firms has reduced overall scores. There has also been a drop in the number of large (with 250 to 999 employees) and enterprise firms (1,000 plus) in the USA and Germany that achieve top scores.

  • More than three out of five firms (61%) reported an attack in the last year – up from 45% the previous year. The frequency of attacks has also increased. Among the seven countries, Belgian firms are the most likely to have been attacked, US firms the least likely.

  • The mean figure for losses associated with all cyber incidents among firms reporting attacks has risen from $229,000 last year to $369,000 – an increase of 61%, with medium and large firms bearing a disproportionate amount of the cost.

  • Nearly two-thirds of firms (65%) have experienced cyber-related issues in their supply chain in the past year. Three quarters of technology, media and telecoms (TMT) and transport firms have been hit.

  • While larger firms are still the most likely to suffer a cyber attack, the proportion of small firms (less than 50 employees) reporting one or more incidents is up from 33% to 47%. For medium sized firms with between 50 and 249 employees the proportion has leapt from 36% to 63%.

  • The figures above are strongly influenced by a sharp rise in the cost of the biggest single incident reported. The mean cost has jumped from $34,000 a year ago to a fraction under $200,000. For large firms, there has been an 18-fold rise to $395,000. The comparable figure for small firms is $9,000, up from $3,000 in 2018.

  • Mean cost for all incidents experienced in Germany during the year was over $1 million for medium and large firms rising to over $1.5 million for enterprisescale businesses.

  • The average spend on cyber is now $1.45 million and the pace of spending is accelerating. The total spent by the 5,400 firms in our report comes to a remarkable $7.9 billion. Two-thirds of respondents say they plan to increase their spending on cyber by 5% or more in the year ahead.

  • The incidence of cyber-attack is high

    More than half of firms (57%) have experienced an attack in the past year and two in five (42%) have had to deal with two or more. Larger companies, particularly those in the US, are targeted most often. The average cost of the largest cyber security incident experienced ranges from EUR€22,000 for very small German companies to US$102,000 for very large US companies - somewhat lower than the headline figures often seen.

  • It takes time to get back to 'business as usual'.

    Although three out of five businesses (62%) took less than 24 hours to uncover their biggest cyber incident in the past 12 months, and a quarter (26%) did so within an hour of its occurrence, nearly half (46%) of businesses took two days or more to get back to business as usual.

  • Cyber security spending is on the increase.

    The majority of cyber security budgets (59%) are set to increase over the coming 12 months by at least 5% and one in five firms (21%) will lift spending by a double-digit amount. Nearly half (47%) of firms plan to increase spending on staffing by 5% or more.

  • Attacks prompt more technology spend.

    Around a quarter of firms that experienced a cyber-attack in the past year responded by increasing their spending on prevention technologies (24%) or detection technologies (23%), even though most firms already appear to be well invested in both areas.

  • Smaller firms hit hardest.

    While big firms incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for the very smallest companies. Small businesses also appear more complacent than their larger counterparts however, with 29% saying they changed nothing following a cyber security incident compared to larger firms (20%).

    In terms of adopting key cyber security initiatives, the gap between larger companies and smaller businesses is greater still. For example, while 62% of larger companies say that practising their crisis communications response is a critical or high priority, only 47% of smaller firms say the same.

  • More than half of firms rank as cyber 'novices' in the cyber readiness test.

    Analysing four dimensions of cyber readiness, we created a Cyber Readiness Model, grading firms as either 'cyber experts', 'cyber opportunists' or 'cyber novices'. The experts accounted for just 30% of the survey group while novices made up more than half (53%), suggesting the majority of companies have some way to go before they can claim to be cyber ready.

  • Six steps for moving from 'novice' to 'expert'.

    Our analysis of the gaps between the experts and the novices highlights six areas where the novices can focus their efforts and make up ground. Most are strategy and process-related and do not involve a major financial outlay. The involvement of top management, more employee training, and systematic tracking and documentation are prominent among them. For most companies, throwing more money at the problem is not the answer.

  • Momentum builds behind cyber insurance?

    The take-up of cyber insurance appears to be set to accelerate sharply in the coming year. Nearly half (46%) of those firms that have yet to insure against cyber risks say they are planning to do so in the next 12 months.

Cyber Insurance

We work with a range of organisations to better understand the rewards, challenges and day-to-day responsibilities of running your own business. Get a quote for your cyber insurance and buy online today.
More on Cyber Insurance