Modern Insurance Magazine Issue 65
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Page 07<br />
Impacts of a cyber attack (%)<br />
Nothing has changed in past 12 months<br />
Lost business partners<br />
4 10 12 13 16 16<br />
Fine that had significant impact on business<br />
Greater difficulty attracting new customers<br />
11 20 16 18<br />
22 20<br />
Solvency or viability of business was threatened<br />
Lost customers<br />
17 21 21 19<br />
22<br />
21<br />
Reduction in business performance indicators<br />
Negative impact on brand or reputation<br />
16 21 24 23<br />
27<br />
25<br />
Caused a breach for third-party partners<br />
Costs associated with notifing customers<br />
20 22 26 23<br />
30<br />
31<br />
Vulnerabilities and impacts<br />
The favourite entry point for hackers was once again Which countries were most vulnerable? In terms of<br />
business<br />
focus<br />
email compromise,<br />
on building<br />
mentioned by<br />
resilience<br />
35% of number of firms attacked, Ireland stands out this year<br />
So,<br />
targeted<br />
given<br />
companies<br />
the<br />
(and<br />
relentlessness<br />
40% of government and<br />
of cyber<br />
with more<br />
risk,<br />
than seven-in-ten<br />
how can<br />
firms (71%)<br />
businesses<br />
targeted, a third<br />
non-profit respondents). The corporate server, whether more than the average for the study group as a whole.<br />
continue owned in-house (mentioned to build by 31%) their or in resilience?<br />
the cloud Irish firms were also targeted almost three times as often<br />
(mentioned by 29%) came second and third. In both<br />
cases those percentages were way down on the previous<br />
year, suggesting preventive work is having an effect. 20% on average across the study group). More than<br />
It’s evident that those businesses<br />
half<br />
who<br />
of respondents<br />
perform<br />
in Ireland<br />
best<br />
said the first<br />
when<br />
point of entry<br />
The energy sector appears particularly prone to<br />
was via the corporate owned server (57%) or a cloud<br />
defending breaches of a corporate against owned server. attacks The construction have a number of things in common<br />
server (50%).<br />
sector tops the list of industries hit with a cloud server<br />
- breach not alongside least travel a dedicated and leisure, as well as IT technology. security In financial function, terms, the which worst hit countries is a solution<br />
were the<br />
The most common outcome of a cyber attack was UK (with median costs per firm of $24,200), The<br />
not open to most small and mid-sized organisations.<br />
financial loss due to payment diversion fraud (mentioned<br />
by 34% of attacked firms, up from 28% two years ago).<br />
Loss of data and virus outbreaks dropped for the<br />
There second year are running. however three highly effective controls, open to all,<br />
There was a sharp jump in the number of German firms<br />
including<br />
Some of the knock-on<br />
the<br />
effects<br />
use<br />
of<br />
of<br />
cyber<br />
endpoint<br />
attacks were<br />
detection<br />
reporting attacks<br />
response<br />
– up from 46%<br />
(EDR),<br />
to 58% – with the<br />
felt more widely this year than before. Nearly a third median number of attacks per firm rising from six to ten.<br />
multi-factor (31%) of firms that were authentication attacked reported increased (MFA), By contrast, and two a countries more – Belgium prosaic and The (but Netherlands no<br />
costs for notifying customers of an attack. The figure – saw a fall in the median average number of attacks<br />
less is up for effective) the second year running. programme The same is true of employee experienced. It awareness.<br />
may be relevant that The Netherlands was<br />
of those reporting a breach for third parties, up over<br />
two years from 20% to 26%.<br />
EDR It is worth works noting that effectively the disaster scenario to is not monitor as end-user devices, looking for<br />
remote as one might believe. One-in-five firms (21%)<br />
cyber that were attacked threats said the like impact malware was enough to and ransomware. Meanwhile, MFA<br />
threaten the viability of the business. That was also<br />
requires<br />
the case for a fifth<br />
users<br />
of the very<br />
to<br />
smallest<br />
supply<br />
firms.<br />
two or more pieces of identification,<br />
such as a password and PIN before they are able to gain<br />
privileged access to IT systems or personally identifiable<br />
information.<br />
Effective as these tactics are, both approaches continue to<br />
show some signs of stress, having been overcome in some<br />
instances by committed hackers. Nonetheless, they are a good<br />
start towards building a robust security system; one which can<br />
also include measures like controlling communications between<br />
networked devices as well as the all-important back-up of data,<br />
which can secure a remote source and eliminate the potential<br />
for unrecoverable data loss.<br />
Employee awareness of the risk is also critical. After all, most<br />
attacks can only be successful if they are enabled by someone<br />
clicking an attachment on an email and allowing an attacker<br />
entry into a company’s business systems. Improving awareness<br />
can be a relatively low-cost measure in the fight against<br />
cybercrime, but it’s one that is often overlooked by businesses.<br />
Evidently, investment in cybersecurity through measures<br />
like these pays dividends. Hiscox’s report reveals that nearly<br />
half (45%) of the bigger firms surveyed say their exposure<br />
to cyber-attack has reduced in line with increased spending<br />
on cybersecurity – a rise from just over a third (36%) in<br />
2022. Smaller businesses of up to 249 employees have also<br />
upped their median spending. This link between investment<br />
in cyber security and a reduction in the risk should be a clear<br />
consideration as businesses consider their budgets for the next<br />
Page 13<br />
Building resilience<br />
Hiscox Cyber Readiness Report<br />
financial year.<br />
Cyber security median spend ($)<br />
Number of employees<br />
Reality of cyber risk<br />
Hiscox Cyber Readiness Report<br />
Country by country: Ireland stands out<br />
2021 2022 2023<br />
as the average median and were significantly more likely<br />
to be targeted with ransomware (30% compared with<br />
Netherlands ($21,400) and the USA ($20,000). For<br />
US and UK firms, business email compromise ranked<br />
top, mentioned by 38% and 37% respectively.<br />
the only country in our study to have upped its average<br />
cyber readiness score in our maturity model this year.<br />
The role of cyber insurance<br />
Part of that investment should include the consideration of cyber<br />
insurance. Many of those businesses with increased cyber risk<br />
maturity (42%) had standalone cyber insurance cover, while<br />
a further 36% had some element of cyber cover in another<br />
insurance policy.<br />
In contrast, smaller firms are behind their larger counterparts<br />
in taking out cover. <strong>Insurance</strong> should not be perceived as the<br />
preserve of bigger companies, particularly now that cyber has<br />
become such a ubiquitous threat to businesses of every size.<br />
The cost of a cyber insurance premium that can deliver benefits<br />
- such as access to IT forensics, legal and crisis management<br />
support - is especially good value, given how this type of care can<br />
assist with threat mitigation and quickly return a business to the<br />
position it was in before an attack.<br />
‘Improving awareness can be<br />
a relatively low-cost measure in the<br />
fight against cybercrime, but it’s one<br />
that is often overlooked<br />
by businesses’<br />
Sentiment improves, but no room for complacency<br />
Most importantly, it is crucial for all businesses to build their<br />
awareness of the latest threats and trends, developing their<br />
tactics, techniques and procedures to combat the cyber threat<br />
and build organisational resilience.<br />
An improvement in business sentiment towards cyber risk, as<br />
indicated by the Hiscox Cyber Readiness Report, implies that<br />
as the threat becomes more mainstream, organisations are<br />
becoming more comfortable and confident in dealing with<br />
the likelihood of a cyber-attack - approaching this outcome<br />
in the same way as they would some of their other business<br />
risks. However, this sentiment also reflects a rising spend on<br />
cybersecurity, alongside better implementation of security<br />
measures and increased buy-in<br />
from senior management figures.<br />
Actions like these are to be<br />
welcomed, especially given the<br />
fact that for every business,<br />
the likelihood of cyber-attack<br />
is a case of when, not if.<br />
Eddie Lamb,<br />
Group Chief Information Security Officer, Hiscox<br />
INSIGHT<br />
The link with cyber budgets<br />
Not surprisingly, money is also seen as important.<br />
Bigger cyber risk budgets are prominent reasons for<br />
feeling more cheerful about the cyber threat. Some<br />
45% of bigger firms that say their exposure to cyber<br />
attack has gone down cite bigger budgets and better<br />
risk reduction solutions as a reason why. That is up from<br />
36% the previous year. It begs the obvious question:<br />
is there a link between the size of budgets and reduced<br />
cyber risk? There are tentative reasons for thinking<br />
so this year.<br />
As mentioned earlier, smaller firms have managed to<br />
reduce the median cost of cyber attacks despite their<br />
greater intensity. At the same time, smaller companies<br />
in the 1-9, 10-49 and 50 to 249 employee segments<br />
have materially upped their median spending – by 77%,<br />
36% and 145% respectively. Over two years, firms<br />
with less than ten employees actually quadrupled their<br />
median cyber security spending. By contrast, at the<br />
top end – firms with 250 or more employees – median<br />
spending has been trimmed this year. Here the financial<br />
impact of attacks has continued to rise.<br />
Looking at the country data, Belgian firms spent less<br />
on cyber security than any other group – $69,000<br />
as a median average, down from $144,000 the previous<br />
year. Median losses from cyber attacks nearly doubled.<br />
62% of respondents reported costs of $10,000 or<br />
more – nearly twice the average for the study group.<br />
By contrast, German firms were the biggest spenders,<br />
at a median of $212,000, and saw a reduction in losses<br />
from $21,000 to $16,000. Admittedly, German firms<br />
have topped the cyber security spending averages for<br />
the past three years. But they are the only group that<br />
has seen a material reduction in attack costs over that<br />
period. One thing is certain: the experts in our survey<br />
tend to spend a larger proportion of their IT budgets<br />
1-9 10–49 50–249 250–999 1,000-plus<br />
2023 8,100 47,900 147,700 922,000 4,900,000<br />
2022 4,600 35,300 60,200 938,800 5,500,000<br />
2021 2,000 20,000 59,300 355,800 2,500,000<br />
Money is only part of the resource equation<br />
The number of people being deployed to counter<br />
the cyber threat is also relevant. Belgian, Irish and US<br />
companies lead in this area with an average 97, 95<br />
and 84 people in the cyber team respectively. They are<br />
way ahead of the rest. Yet behind those averages lies<br />
an interesting statistic: 15% of US and UK firms are<br />
without a managerial role dedicated to cyber security.<br />
That compares with just 8% of German firms, for<br />
instance. The USA and the UK happen to be two of<br />
the three worst hit countries in this year’s survey.<br />
Industry leaders in accident management<br />
solutions and repair services.<br />
The existence of a dedicated cyber security head is<br />
one of the key differentiators between the experts and<br />
the rest. Only 4% of the firms qualifying as experts this<br />
year lacked a role dedicated to cyber. That contrasts<br />
with more than a quarter (27%) of the novices. Many<br />
of them are smaller companies for whom this is clearly<br />
a resource issue. More than a third (34%) of firms with<br />
fewer than ten employees said they had no defined role<br />
for cyber security. This dropped to 9% for firms in the<br />
ten to 49 employee bracket. However, and perhaps<br />
more worryingly, smaller firms also lag in less money<br />
sensitive areas such as putting in additional security<br />
or employee training after an attack.<br />
sandgresponse.co.uk<br />
1<br />
https://www.hiscoxgroup.com/cyber-readiness<br />
2<br />
https://www.gov.uk/government/statistics/business-population-estimates-2023/businesspopulation-estimates-for-the-uk-and-regions-2023-statistical-release<br />
01625 417758<br />
MODERN INSURANCE | 11