German and French companies least prepared for IT failing or cyber attack
ACE surveyed more than 600 chief risk officers, chief financial officers and chief operating officers from businesses across Europe in recent months, and has found that IT and cyber risk is one of the most important emerging risks for businesses, second only to the threat of terrorism and political violence.
The survey findings suggest that businesses, particularly larger corporations, are finally waking up to the risks of an IT failure. However, the findings also unveiled plenty of shortfalls. Although larger companies are beginning to realise the potential risks from a cyber incident, small and medium businesses are much less likely to do so.
Companies in France and Germany are least likely to have crisis management procedures in place to deal with an IT or cyber incident. Around 60% in both markets having no procedures in place, significantly higher than the pan-European average of 49%.
hide
So, while large corporations may be taking steps to reduce their exposure, their supplier and partner companies may not be doing the same, which could leave the supply chain exposed.
In reporting recent IT problems, incidents are not limited to hacking by external people. Instead the most common type of loss reported relates to the unauthorised use of computer systems by internal or external sources.
System failure caused by a loss of network communications ranks second. Incidents that involve hackers are not far behind. In fact, some 36% of European companies say they have experienced a loss as a result of hacking in the past five years.
In total, 52% of companies surveyed say they feel somewhat or completely unprepared to deal with cyber risk. The number rises to 64% in France, 63% in Benelux and 61% in Germany. It is higher in all continental markets than in the UK.
Gilbert Flepp, Cyber Risk Manager for ACE in continental Europe, likened the problem to walking on snow in the Alps in springtime. “When the temperature is +2 degrees, you can walk on the snow easily. The sky is still blue and everything looks the same, but the temperature drops to -2 degrees and suddenly the snow becomes a sheet of ice and you will slide to the bottom.
“This is the same, the landscape looks the same but everything has changed. The risk is greater and people are worried,” said Mr Flepp.
Companies have every reason to be afraid, according to Iain Ainslie, Technology and Cyber Underwriter for ACE in London. Companies face risks in three areas, he said. “First party risks—what if something fails and you cannot get into the website? This may not be the result of hacking. It could be a physical problem. But the firm’s IT is affected none the less,” said Mr Ainslie.
“The second area is liability relating to the content published. More and more businesses publish content for which they do not have copyright. They may also breach privacy rules—firms simply don’t understand the rules and don’t realise when they are in breach,” added Mr Ainslie.
This, he said, was particularly important in terms of consumer data thanks to stringent laws in the US and a tougher regulatory landscape looming in Europe.
The third area of risk is around the expense. “A cyber breach can be extraordinarily expensive,” said Mr Ainslie. “It is no longer OK to keep a breach quiet. Again in the US it is the law to admit to a problem and Europe is starting to move in the same direction,” he continued.
Mr Ainslie is not surprised that European companies still feel unprepared to deal with a major cyber incident. But he believes that this will change. “If you look at London in the 1970s when the IRA bombs went off, firms were not prepared. Now every firm in the city has a plan,” he said.
One reason for the lack of preparedness may be that 49% of companies currently have no plans in place to manage a cyber crisis. “It does not have to cost a fortune to get risk management up to speed. But first it is essential firms have a better understanding of the risk itself and then firms can choose whether to absorb the risk or to transfer it out,” said the underwriter.
Mr Ainslie believes that the insurance market can help, whether it’s the brokers or insurers, getting information to clients. “We know insurance is important to businesses—almost two-thirds of those surveyed said insurance was important for their cyber risk strategy. It seems companies have a better understanding of the risk…[but]…are not doing what is necessary to prepare.”
One of the big issues for firms is what insurance to buy.
Mr Ainslie said the survey revealed that a lot of people believe existing insurance would help deal with a loss. But this is not necessarily the case.
“38% of European companies believe they have specific insurance for IT and cyber risks under their business interruption policies, while 31% say that they are covered for some risks under kidnap, ransom and extortion coverage,” said Mr Ainslie.
“However, in practice, many traditional commercial property and casualty policies may fall short of the cover needed for comprehensive protection against the risks associated with first party losses and potential third party liabilities. We have seen cases where companies thought they had coverage under a general liability policy but the insurers fought the claim and it wasn’t paid,” he warned.
“Our survey shows there is real confusion among businesses,” he added. “Companies need to consider what would be adequate protection. And we found 20% didn’t have any policy at all. The cyber insurance market is in its infancy but it will grow. Lloyd’s has been having conversations at government level about how to help companies and access to insurance will change,” continued Mr Ainslie.
Mr Flepp believes increased regulation will spur firms to take greater interest in this risk. “Under the new data directive published in draft last February [by the European Commission], companies might face fines of up to 2% of global turnover if they are unable to protect data,” he warned.
Mr Flepp does not expect quite such draconian measures to be agreed under the final terms of the directive. But he pointed out that a new set of rules will be in place by 2014 and companies will be expected to improve data protection measures.
One of the questions that companies will have to ask themselves is who needs to deal with cyber-related risks. Mr Ainslie said that too many firms expect the chief information officer to take responsibility, even though they are unlikely to be the right person to assess the insurance requirements.
“We have been selling cyber insurance for many years. I can’t tell you how much we have struggled to even get the CIOs and CROs in the same room. And when we do, it is obvious that they have rarely met before. However, that is changing and has changed, particularly in the past couple of years.”
Every business will face a unique cyber risk, depending on how it operates. However the message was clear that all businesses face considerable risk—one that is only likely to grow in the coming years.
- Commercial Risk Europe held a Cyber Risk—Risk Frontiers seminar in September in Brussels in partnership with the Belgian risk management association Belrim where the new directive and responsibilities of risk managers in tackling cyber risk was discussed in depth. For coverage of this event and the follow up management report please go to www.commercialriskeurope.com.