Professional Documents
Culture Documents
2018 Hiscox Cyber Readiness Report
2018 Hiscox Cyber Readiness Report
2018 Hiscox Cyber Readiness Report
Cyber Readiness
Report
The Hiscox Cyber Readiness Report is compiled
from a survey of more than 4,100 executives,
departmental heads, IT managers and other key
professionals in the UK, US, Germany, Spain and
The Netherlands. Drawn from a representative
sample of organisations by size and sector, these
are the people on the front line of the business
battle against cyber crime. While all are involved
to a greater or lesser extent in their organisation’s
cyber security effort, 45% make the final decision
on how their business should respond. The report
not only provides an up-to-the-minute picture
of the cyber readiness of organisations large and
small, it also offers a blueprint for best practice
in the fight to counter an ever-evolving threat.
1 Foreword
2 Executive summary
4 A watershed year for cyber
6 Gauging the scale of the cyber threat
10 Cyber readiness model
14 Measuring the response
16 What makes an expert?
18 Insurance
20 Research methodology
Foreword
Countering the cyber threat
Cyber security poses a challenge unlike On the plus side, however, it offers
any other. Businesses large and small, valuable insights into how firms can up
both public and private, face an enemy their game and strengthen their defences.
that is unseen and largely unknown, has Often the answer is not ‘more technology’
seemingly shape-shifting powers and but proactive thinking, more rigorous
appears utterly unrelenting. Each year processes and better trained staff.
brings a renewal of the contest but in
a subtly different form. This is an enemy Hopefully, this report will provide a spur
that can be confronted but never to further action. It is certainly timely.
quite defeated. As the following pages show, if an
organisation was spared a serious attack
If anyone still harboured doubts about in 2017, there is a good chance it will
the severity of the threat, the events be targeted in the future. The resultant
of the past year should have dispelled economic loss is only part of the story;
them. From the WannaCry ransomware the potential harm to a firm’s reputation
Gareth Wharton
attack to the hacking of one of the world’s and its standing with customers can
Cyber CEO
largest credit agencies, 2017 produced be significantly more damaging.
Hiscox
numerous reminders that operating in
a connected world has fearsome perils. For an increasing number of
The cost of these attacks has undoubtedly organisations, a key part of the solution
run into the billions. is to transfer some or all of the risk to an
insurer. Hiscox is a specialist provider of
It is an old adage that you should hope cyber and data risk insurance, providing
for the best but plan for the worst. That standalone cover to more than 20,000
is certainly true when it comes to battling firms, big and small, around the world
cyber crime. In today’s world, there is no under the CyberClear brand. For many
alternative to investing in sophisticated of those customers, peace of mind is
prevention and detection systems and matched by the knowledge that they can
supporting them with the people and turn to us to help them get back up and
processes that will make them effective. running after a serious incident.
This study not only reinforces that message
but it provides a detailed picture of what As an indication of how seriously we
cyber readiness really looks like. take the issue of customer support in
this area, we have just launched a cyber
This is the second Hiscox Cyber Readiness academy, which is designed to aid cyber
Report, conducted by Forrester Consulting, risk awareness among our customers
and it has been expanded to cover more and improve their ability to detect and
than 4,100 organisations, large and small, respond to cyber threats.
in both private and public sectors, across
five countries – the UK, USA, Germany, At Hiscox, we will continue to expand
The Netherlands and Spain. our services in cyber and play our part
in helping mitigate the impact of cyber
It puts the spotlight not only on the crime on our customers. We hope that
financial consequences of individual cyber in aiding understanding of the issues
breaches but also on the enormous cost involved, and highlighting cyber readiness
in terms of investment made to counter best practice, this report contributes
the threat. Above all, it measures the to that process.
cyber readiness of respondents using
a multi-dimensional model built on best
practice in cyber strategy and execution.
As an end of term report, it might have
the words ‘can do better’ scrawled on
it in red ink. It highlights the cyber
readiness shortcomings of the majority
of the organisations in our sample,
particularly the smaller ones.
DDSeven out of ten organisations bigger IT budgets than the novices DDGerman firms face costliest
fail the cyber readiness test. ($19.8 million on average versus incidents. We asked organisations
We measured organisations’ cyber $9.9 million) and devoted a higher to estimate the cost of their single
security readiness according to proportion to cyber security (12.6% largest incident. German firms
the quality of their strategy (broken versus 9.9%). Some firms spent a lot reported the highest average figures
down into oversight and resourcing) more – with 37% devoting between with the highest cost for a single
and execution (processes and 11% and 25% of their IT budgets incident of $5m. At the other end
technology). From this we produced to cyber. Financial services firms of the scale, Spanish organisations
a cyber readiness model that divided are the largest spenders on cyber, contained the cost per incident to
respondents into ‘cyber novices’, followed by the pharmaceuticals a maximum of $800,000.
‘cyber intermediates’ and ‘cyber and healthcare sector and then
DDSpending set to rise. Nearly three
experts’. Nearly three-quarters government entities.
out of five respondents (59%) plan
of organisations (73%) fell into the DDE xperts more proactive. What to increase their cyber security
novice category, suggesting they sets the cyber experts apart from budgets in the year ahead. New
have some way to go before they the cyber novices? Nine out of technology tops the shopping list
are cyber-ready. Only 11% qualified ten (89%) have a clearly defined despite this being the area where
as experts. cyber strategy, most (72%) are the bulk of firms appear best
DDKeen awareness of the threat. prepared to make changes after prepared. The experts lead the
While many firms lack adequate a breach and 97% incorporate way: for example, more than half
defences, most are keenly aware security training and awareness (55%) plan to increase spending on
of the potential impact of a cyber throughout the workforce. Seven awareness training compared with
attack. Two-thirds of respondents out of ten (72%) have conducted only 29% of novices.
(66%) rank the cyber threat phishing experiments to gauge
DDWatershed year for cyber
alongside fraud as the top risks employee preparedness and three
insurance? The EU’s General
to their business. out of five (60%) say they have
Data Protection Regulation (GDPR)
cyber insurance.
DDLarger firms show the way. comes into force in May. With tough
The larger organisations in the DDEvens chance of being targeted. penalties for the loss of personal
sample are better prepared: more Almost half (45%) of the 4,103 data, it is expected to provide a
than one-in-five (21%) of those organisations surveyed were hit boost to European take-up of cyber
with 250 employees or more rank by at least one cyber attack in the insurance. The report shows that
as experts. A further 17% qualify past year and two-thirds of those one-third (33%) of respondents
as intermediates. US and UK firms targeted suffered two or more currently have standalone cyber
generally score better than the rest attacks. Spanish organisations cover while a further quarter (25%)
(13% are experts) while Dutch firms were the most heavily targeted say they plan to take out cover in
come bottom of the pile (just 7% are (57% suffered an attack). Financial the coming year. Nearly two out
experts). Not surprisingly, perhaps, services, energy, telecoms and of five (38%) still say they have no
technology, media and telecoms government organisations are prime plans to take out cover. Most likely
organisations score highly. At the targets for hackers. to be covered are financial services
other end of the scale, professional firms (48%). The report also reveals
DDCosts range up to $25 million.
services firms have some considerable confusion over the
Taking only those organisations that
catching-up to do. extent to which firms are covered
were targeted, the average cost
for cyber incidents under their
DDSmaller firms lack resources. of cyber crime, aggregating all
general business policies.
Organisations with fewer than 250 incidents, to each business over
employees devote a smaller the past year was $229,000. But the
proportion of their IT budgets to average masks some wide variations.
cyber (9.8% on average versus For the largest organisations in
12.2% for larger organisations). the report (those with 1,000-plus
In accordance with the findings employees), the average costs
ranged between $356,000 in Spain
mentioned above, just 7% of smaller
and $1.05 million in the US. Some
firms rank as cyber experts.
organisations faced still higher costs
DDYou get what you pay for. – up to $25 million in the US and
On average, the organisations $20 million in Germany and the UK.
in our sample had an IT budget of For the very smallest (those with fewer
$11.2 million, of which 10.5% was than 100 employees), average costs
devoted to cyber security. However, ranged between $24,000 in Spain
the cyber experts had markedly and $63,000 in Germany.
$5m
antivirus or antispyware technologies.
$20m
With the largest average IT budgets, UK
53% Among the smaller firms in the survey
(up to 250 employees), German ones
firms top the table for spending on cyber More than half (53%) of the US government have been hit hardest by cyber crime,
security. However, the cost of breaches entities in the survey report an attack with an average cost of $55,000 over
is still among the highest in the survey: in the past year. Among the larger US the past year. When it comes to individual
for larger UK firms that were targeted organisations that were targeted, the cost incidents, German organisations also
in the past year, costs ran to $20 million, of cyber attacks ran to $25 million with report the highest cost figures – ranging
with an average of $463,000. the average coming out at $578,000. up to $5 million.
82%
More than four in five (82%) Dutch
11%
Spanish organisations devote the largest
organisations rank as cyber novices. proportion of their IT budgets to cyber
Despite the fact that they are most likely at 11%. Two-thirds of firms targeted(67%)
to have suffered at least three cyber attacks made changes after an attack (compared
in the past 12 months (experienced by with 53% across the five countries).
47% of Dutch respondents), they come
bottom of the table for both IT spend
and for the proportion devoted to
cyber security.
57%
42%
Dutch firms lag in other areas too.
They are the most heavily targeted,
with 57% reporting one or more attacks
in the past year. They are most likely to
For instance, they are least likely to provide cite external attacks as the most common
cyber security training and awareness source of cyber incidents that have
programmes across the workforce: interrupted their business in the past
only two in five (42%) do so. 12 months (29% of them).
Communication High profile victims suffered severe The survey highlights a widening gulf
Headquarters and was reputational and financial damage,
sometimes because they had not taken
between those who ‘get’ cyber security,
take it seriously, and spend appropriately,
responsible for setting up the threat seriously and done the basics, and those who still regard the issue as
the UK’s National Cyber and sometimes because their handling
of the breach revealed deeper corporate
someone else’s problem. Cyber security
is not an IT issue but rather a risk for the
Security Centre. He is an failings. For smaller companies, the whole organisation; tackling it is more
adviser to Hiscox. inability to operate, for example after
a ransomware attack, was fatal for
about people, behaviour and culture
than clever technology.
the business.
Those companies which have
If minds were not already focused by successfully prevented attacks or handled
this, 2018 promises to be the year when them well when they got through, have
mandatory reporting of cyber breaches understood that cyber is a fast-moving
raises awareness and reputational risk but manageable risk. Insurance has a
further, as the EU General Data Protection key role to play in helping companies to
Regulations (GDPR) come into force. get that risk management right, both in
prevention and incident response.
The cyber threat itself is set to grow in
volume and severity, as criminal groups The growth of the cyber insurance market,
gain access to more sophisticated tools especially in the US, underlines this.
and become more reckless. The rapid Together with more assertive activity from
growth of the ‘internet of things’ will regulators in many countries, insurance
amplify insecurities by adding millions of will help to raise the baseline of security for
new devices with minimal built-in security. the whole economy as well as saving many
For those trying to protect against attack, smaller companies from severe damage.
the shortage of cyber skills will continue
to be chronic.
The answer is the double risks of cyber of those who suffered an incident and
attack and fraud. Increasingly, the two are nearly half of respondents (45%) rank an
linked as fraud moves online. We asked ‘external attack targeting our organisation’
our survey group of more than 4,100 as having the most impact on
managers and senior executives in five business performance.
countries to rate their concern over
different types of risk and the potential This year, the most frequently reported
impact they could have on the organisation types of attack are virus/worm infestation,
in the coming year. Two-thirds (66%) put ransomware and DDOS (distributed
the cyber threat on a par with fraud at the denial of service, where multiple
top of the list. compromised systems, which are often
infected with a Trojan, are used to target
As this report shows, for organisations in a single system) – mentioned by 21%,
both the private and public sectors, there 12% and 10% of the full survey sample.
is now an evens chance of at least one
cyber incident in any 12-month period. Spanish organisations are markedly
Just under half (45%) of respondents say more likely to report an incident of virus
they suffered a cyber attack in the past or worm infestation in the past year (30%).
year. Of those organisations that were Internal incidents such as an insider threat,
targeted, more than two-thirds (67%) a configuration change or an HR incident,
suffered two or more attacks and just rank as the second most serious type
over one in five (21%) suffered four of incident (mentioned by 16%) and the
or more. A small number were targeted loss or theft of devices such as a laptop
more than ten times in the year. comes third (14%).
90%
80%
70%
60%
Spain
50% Germany
Bigger organisations targeted Netherlands
It is the larger firms in the study that appear 40%
to be the hackers’ favourite targets – not UK
surprisingly, perhaps, as there are richer US
pickings to be found. As the chart (right) 30%
shows, the proportion of respondents
reporting one or more attacks in the past 20%
year rises sharply for organisations with
250 employees or more.
10%
Counting the financial cost
Cyber crime is costly for the victims. 0% 1– 20 – 50 – 100 – 250 – 500 – 1,000 – 5,000 – 20,000+
We asked those organisations that had 19 49 99 249 499 999 4,999 19,999
suffered an attack (1,853 out of the 4,100
survey sample ) to estimate the financial Survey conducted by Forrester Consulting on behalf of Hiscox.
cost of all the cyber security incidents they
had experienced in the past 12 months. Cost of all cyber security incidents
Nearly a third of them replied ‘don’t know’. Average estimated cost of all of an organisation’s incidents in the past 12 months
The average among the remainder
was $229,000. 249 or fewer 250 or more 1,000 or more
employees employees employees Overall range
The averages mask some wide variations. Germany $55,067 $406,653 $640,408 $500 – $20m
For smaller organisations, average costs
ranged between $22,000 in Spain and Netherlands $32,760 $280,784 $531,158 $1,000 – $10m
$55,000 in Germany. For larger ones the Spain $22,175 $259,230 $355,761 $500 – $5m
average costs ranged between $259,000
in Spain and $579,000 in the US. For the UK $33,787 $462,633 $554,596 $1,000 – $20m
very largest organisations (with 1,000-plus
US $34,604 $578,762 $1,047,465 $350 – $25m
people) the range was between $356,000
(in Spain) and $1 million (in the US).
Cost of largest cyber security incident
However, some organisations suffered Average estimated cost of an organisation’s largest incident in the past 12 months
much higher costs: up to $25 million in the
US and $20 million in Germany and the UK. 249 or fewer 250 or more 1,000 or more
employees employees employees Overall range
At the top end of the scale – among the Germany $11,918 $86,834 $150,891 $10 – $5m
very large entities – it is US organisations
that are paying the highest price. The Netherlands $4,489 $66,767 $127,417 $10 – $2.5m
$1 million average cost of cyber incidents Spain $3,789 $31,359 $41,733 $20 – $800,000
in the past year for firms with 1,000-plus
employees is almost exactly twice the UK $4,063 $56,870 $65,668 $10 – $1.2m
average for the other four countries. At
US $4,883 $60,258 $106,583 $20 – $2m
the bottom end, among firms with up to
250 employees, it is German organisations
that report the highest average cost of
cyber crime, at $55,000.
Assessing the broader impact About this year’s report The Hiscox view
For a small number of those hit by The study group for this year’s Cyber The large number of organisations that
a breach, the impact went beyond the Readiness Report has been materially have been targeted on multiple occasions
immediate cost in dollars and cents. expanded. It now includes approximately in the past year gives some indication of the
1,000 managers and executives from scale of the cyber threat. The figures here
Seven percent said they had lost Spain and The Netherlands, bringing the show the direct costs of cyber crime. More
customers as a result of a cyber attack number of countries involved to five and difficult to calculate is the extent to which
and 5% said they had found it more increasing the number of respondents this drains people and resources that could
difficult to attract new ones. A similar to approximately 4,100. more profitably be deployed elsewhere.
number said they had lost business Fighting the cyber battle raises the costs
partners. In 6% of cases the organisation It has also been expanded to include of doing business for all concerned.
had laid off employees. non-profit and governmental organisations
(making up 5% of total respondents in
Most difficult to quantify is the long-term each case). The proportion of multinationals
impact on an organisation’s reputation has been reduced from 32% to 20%
and standing. Some 5% of those hit by and the proportion of local organisations,
a cyber attack in the past year said the bad defined as those with operations in a single
publicity had damaged the brand. country only, lifted from 44% to 56%.
Experts
Excellent: 5
17% 16%
15% 14%
13% 13%
10% 11%
9%
7%
Often, this is not because of under- US and UK more cyber-ready Cyber readiness model methodology
investment in technology. As last year, this US firms emerge as the most cyber-savvy, Respondents were shown a series
is the area where respondents have racked followed closely by their UK counterparts of statements relating to cyber security
up the highest scores. The implication is (see chart above). While Spain comes strategy and execution. Each statement
that many organisations see the cyber fourth in the table, it actually boasts represents best practice in its area.
threat as primarily a technology one, and the second-highest number of cyber
are failing to support their investment in intermediates. Dutch organisations The strategy statements were broken
security technology with a formal strategy, lag by some margin. down into two sections – oversight and
sufficient resourcing and training, and resourcing. Two examples: ‘Cyber security
sound processes. There are also wide disparities between has a formal budgeting process which
sectors. The technology, media and is integrated into all security projects
Larger firms show the way telecoms sector accounts for 14% of the and activities’ and ‘Cyber security
Not surprisingly, larger organisations are survey sample but provides nearly one- competencies are regularly reviewed
more likely to populate the top right hand in-five cyber experts (19%). Manufacturing, using established metrics according
corner – the cyber experts. financial services and retail/wholesale to roles and responsibilities’.
also punch above their weight as cyber
This may not just be a matter of resources experts. At the other end of the scale, The execution statements were similarly
given that, as we have seen, larger firms professional services firms clearly have split between processes and technology.
are more likely to be targeted. More than some catching-up to do. They account They included: ‘Security incident and
one in five organisations with 250 or more for 8% of the survey sample but only event data from key servers and devices
employees (21%) makes it into the expert 4% of cyber experts. is automatically aggregated and analysed’
category, and a further 17% rank as and ‘Strong authentication is integrated
intermediates on one axis or the other. You get what you pay for throughout the environment’.
Multinational organisations make up a third The gulf in cyber readiness between
of all the experts. Given the difference the cyber novices and the cyber experts Respondents were asked to indicate the
in cyber budgets, between the larger is mirrored in their expenditure on IT extent to which each statement described
organisations in our survey sample and and the proportion of it they devote to their organisation’s current approach.
the smaller ones, that is to be expected. cyber security (see table below). The They were given a range of options from
implication of the figures is that the ‘doesn’t describe our approach at all’
What is more surprising is that there average cyber expert spends $2.5 million (which scored one) to ‘exactly describes
is little difference between the mid-sized a year on cyber defence compared with our approach’ (scoring five).
organisations (defined here as 50 to $980,000 for the average cyber novice.
249 employees) and the very smallest In other words, you get what you pay for.
(49 or fewer). A similar number – 7% – rank
as cyber experts in each grouping, though Just as the bigger organisations in our
there are slightly more cyber novices report make up a disproportionately
among the very smallest (79% versus 77%). large number of the cyber experts, so
Cyber attacks occur frequently regardless of maturity Cyber experts Cyber intermediates Cyber novices
Number of incidents in the past 12 months
35%
31%
30%
28% 28%
26%
19%
18%
13%
11% 11%
10% 10%
8%
6%
5%
4%
3%
Significant numbers of firms are One in eight (12%) said they had introduced In every area of spending, it is the cyber
responding to the intensifying cyber additional security and audit requirements experts that are most likely to increase
challenge in two ways: by upping their and a similar number said security and/ their budgets. One example: 55% of cyber
game and lifting their spending. or privacy were now regularly evaluated. experts plan to lift their spending on training
In 9% of cases, the breach had prompted compared with only 29% of cyber novices.
We asked all organisations to list their the organisation to purchase or enhance Given that the cyber experts already
top security priorities for the coming a cyber insurance policy and the same devote a larger percentage of their IT
year, giving them a long list of options number had increased spending on threat budget to cyber security (see page 13),
from which to choose. The chart on page intelligence capabilities. Some 7% had it would appear that the gap between
15 (top) highlights the top ten initiatives switched their IT auditors. them and the rest is set to widen rather
and the percentage of respondents who than shrink in the year ahead.
selected them. It is as interesting for what Spending rise led by the cyber experts
does not make the top ten as what does. The majority of respondents (nearly three The Hiscox view
out of five – 59%) are increasing their Spending on technology is often the easy
Just outside the top ten is ‘preparing cyber security budgets for the coming part. To be effective, you have to move
for a cyber crisis’, mentioned by 43% year. New security technology heads the on all fronts together. That means people,
of respondents. ‘Enhancing disaster list, with 57% of organisations increasing processes and technology. Simply
recovery capabilities’ comes a few places their spending here – despite the fact that spending on technology is not enough
further down (mentioned by 42% of this is the area in which our respondents without a fully structured, rigorous set of
respondents). ‘Simulating a cyber attack are already best prepared (see Cyber processes combined with people who are
to test the firm’s response’ comes right readiness model – page 10). fully aware of the issues. It is especially
at the bottom – mentioned by 35% of disappointing that so few people appear
respondents. Spanish firms are the most enthusiastic to simulate a cyber attack and practise
spenders on technology: 60% of them what to do when their systems go down.
What changes as a result of an attack? plan to lift spending in this area. A third
We also asked those organisations that of respondents (34%) intend to increase
had suffered a cyber attack in the past employee awareness training and more
12 months what they had changed as a than a quarter (26%) will bring in more
result. Remarkably, nearly half (47%) said cyber security staff. But in both instances,
‘nothing’. The remainder had made a rather more respondents are planning to
number of changes. Increased spending cut spending (36% and 33% respectively).
on prevention and detection technologies Similarly, a small number of respondents
heads the list – mentioned by 13% plan to reduce their security
of respondents. outsourcing budget.
Cyber security spending plans in the next 12 months Increase more than 10% 5% to 10% increase No increase
22% 23%
13%
21%
18% 21%
Overall cyber security spending New security technology Cyber security employee training
9%
9% 9%
15%
17% 16%
What is striking is the gulf between Engagement. Cyber experts get support operations (mentioned by 32% of cyber
the responses of the cyber experts on from the top and engage a broader experts but only 15% of cyber novices)
the one hand and the cyber novices range of stakeholders when setting their and e-commerce (22% of cyber experts
on the other. None of these statements organisation’s cyber security strategy. but only 9% of cyber novices).
can be considered contentious. Take Experts are more than twice as likely
for instance: ‘We will damage our brand to agree that ‘there is formal support for Organisation and professionalism.
if we do not handle client and partner data cyber security from business leaders and All but a few cyber experts have one or
securely’. It might be expected that those executives on an ongoing basis’ (86% more roles dedicated to combating the
in business would take that as a given. versus 38% for cyber novices). In addition, cyber threat. Just over half (52%) have a
But while nearly nine out of ten cyber more than two-thirds (68%) of cyber dedicated leader or executive responsible
experts (89%) agreed or strongly agreed experts involved the board and executive for cyber security and just under half (46%)
with this statement, only 59% of cyber management in setting strategy, while say they have a dedicated team to back
novices felt able to do the same. By only 52% of cyber novices did so. that leader up. That is around twice the
contrast, there is strong buy-in to all the comparable numbers for cyber novices.
statements in the table from the great By country, it is German organisations
majority of cyber experts. that are most likely to have board-level Just over four-fifths of cyber experts
involvement in the strategy-setting say they can clearly measure the business
Strategy. Nine out of ten cyber experts process (64% of them). UK and US impact of incidents that disrupt their
(89%) have a clearly defined cyber security organisations are most likely to involve business. They also document and track
strategy – compared with less than half IT (57% each). US organisations lead cyber security centrally on an ongoing
(49%) of cyber novices. Cyber experts in giving operations a say (25%). basis and around three quarters of
are likely to have put in place a formal them (76%) make cyber security data
budgeting process, which is integrated Asked which of 11 different functions available to all stakeholders on a ‘near
into all security projects and activities. were involved in setting strategy, the real-time basis’.
In nine out of ten cases (89%), the decision cyber experts generally ticked off
structures and processes are clearly significantly more boxes than the cyber The cyber experts are also more proactive.
defined. More than four out of five (83%) novices. Four-fifths (82%) of cyber More than seven out of ten (72%) say they
cyber experts identify the compliance experts engaged the IT department in have conducted phishing experiments
requirements through a combination of the strategy-setting process, nearly twice to understand employee behaviour and
active research, automated alerts and the number of cyber novices who did the preparedness for attacks. The equivalent
information from content providers. same (44%). There is a similar picture in figure for cyber novices is 37%.
Experts are better at training and evaluation Experts are more likely to make changes after an incident
Cyber experts Cyber novices Cyber experts Cyber novices
97% Increased spending 28%
90%
83% on detection
technologies 10%
Survey conducted by Forrester Consulting on behalf of Hiscox. Survey conducted by Forrester Consulting on behalf of Hiscox.
There is a sharp divide between big The US market has been helped by
and small among those who say they have the progressive introduction of mandatory
One of the defining characteristics no plans to adopt cyber insurance. More breach notification. From May this year,
of the cyber experts identified in this than half (52%) of US smaller businesses any organisation operating in Europe will
report is their take-up of standalone say they have no intention of taking out be subject to the GDPR, the first significant
cyber insurance. Three out of five (60%) cyber cover. That contrasts with just 9% overhaul in data protection across most
cyber experts say they have cyber cover of larger US organisations. Smaller firms of Europe for 15 years.
and a further 31% say they plan to take in Germany and The Netherlands also
out cover in the coming 12 months. appear quite resistant to cyber insurance GDPR not only makes breach notification
For comparison, across the full survey – with 50% and 49% of them respectively mandatory but lifts the ceiling for fines
sample, one-third of respondents (33%) saying they have no plans to take out cover. for breaches to penal levels – potentially
say they have standalone cyber cover €20 million or 4% of an organisation’s
while a quarter (25%) say they intend Financial services firms are the most likely worldwide turnover. This could be
to adopt it in the coming year. to have cyber insurance cover. Just under a watershed moment. The GDPR has
half (48%) say they have a standalone a catch-all element to it; even if an
The report shows that smaller companies cyber policy. At the other end of the organisation is not domiciled in Europe,
still have some way to go to catch up spectrum, nearly half of food and drink it will be covered by the legislation if it has
with their bigger counterparts. More organisations (46% ) and 43% of any kind of operation there.
than half (57%) of organisations with 250 professional services firms say they
employees or more say they have cyber have no plans to take out cyber cover. While most organisations in this report
insurance – and for the very biggest appear to have taken the GDPR’s
organisations with 20,000-plus people, Waiting on the GDPR wide-ranging impact on board,
the figure is higher still, at 64%. Among The big question is whether cyber insurance a significant number have not. Overall,
organisations with fewer than 250 take-up in Europe will get a boost this 62% of respondents say ‘ensuring
employees, the proportion drops year in the shape of the EU’s General Data compliance with GDPR is a top priority’,
to under a quarter (23%). Protection Regulation (GDPR). yet that leaves 38% for whom it is not
62%
58% 58%
4% 55%
49%
33%
38%
33%
25%
Consultation 37%
a pressing issue. The figure among cyber Additional services a big attraction The Hiscox view
experts is 90%. Interestingly, 60% of The opportunity to draw on additional The figures for those either insured
US respondents also see compliance services is clearly one of the attractions already or planning to take out cyber
as a priority – suggesting the measure’s of insurance. Nearly half (49%) of those cover look high. But there is no doubt
extra-territorial implications are recognised. with cover or planning to take out cover this is one of the fastest-growing areas
say they either use or are planning to of the insurance market. We are seeing
Among those already covered or planning use the insurer’s employee training. penetration spread rapidly from the US
to take out cover, the top two reasons Nearly half (47%) will turn to their insurer to the UK and mainland Europe, and
for doing so are the cost of a potential for risk assessments. The ability to get from larger customers to smaller ones.
breach/the desire for peace of mind and consultative advice is also mentioned
the fact that cyber insurance policies offer by 37% of respondents.
‘additional expertise that I do not have’.
More than a third (34%) cite the attraction Once again, it is the cyber experts who
of additional expertise as a reason for appear the most conscious of what
taking out cover. is on offer. They expect much more from
their insurer. Training, risk assessments
And what reasons do respondents give and preventative hardware and software
for not taking out cover? Some 46% say top the list of services.
‘cyber insurance is not relevant for me’
while 27% think it is ‘too expensive’. Nearly Confusion still reigns
one in five (19%) says cyber policies are Large numbers of respondents believe
‘so complicated, I don’t understand what their general business insurance policy
the insurance would cover me for’. covers them for various cyber incidents.
The results suggest the insurance industry For example, nearly two-thirds (64%)
still has some work to do. of all respondents think it covers them
in whole or in part for a data breach
Interestingly, C-level executives appear resulting in loss of customer data and 57%
more resistant to the idea of cyber insurance think it covers them for DDOS (distributed
than those they manage. Only 28% say denial of service).
they have taken out cyber cover and 44%
say they have no plans to do so.
9% Professional services 8%
Financial services 7%
2% Construction 7%
Two to five Six to 19 20 to 49 50 to 99 100 to 249
Business services 7%
More than 250 employees (30% of total)
Government 5%
9%
Non-profit 5%
8%
Travel and leisure 5%
6%
Food and drink 5%
Transport and
4% 5%
distribution
3%
Property 4%
Energy 3%
250 to 499 500 to 999 1,000 to 5,000 to 20,000+
4,999 19,999 Other 1%
18423 02/18