Many UK firms are failing to adequately assess their customers and trading partners for cyber risk, and are more vulnerable to cyber attacks themselves as a result, according to a study published by Marsh.
Marsh’s Cyber Risk Survey Report found that nearly 70 percent (69.4 percent) of respondents from large and medium-sized corporations across the UK do not assess the suppliers and/or customers they trade with for cyber risk. Further, more than half of respondents (51.4 percent) stated that their organization has not been asked to demonstrate a competent standard of their IT security practices to their bank and/or customers, in order to do business with them.
Stephen Wares, Marsh’s cyber risk practice leader, Europe, the Middle East and Africa (EMEA), commented: “If organizations are to reduce the threats arising from cyber attacks, more work needs to be done to consider cyber security as a business issue, as opposed to a technical problem. This is especially true for larger organizations, which attract highly motivated and sophisticated hackers that might identify smaller business partners that are typically less well protected as the ‘back-door’ into their IT systems.”
Additionally, Marsh’s survey results reveal that board-level ownership of cyber risk remains comparatively low: IT departments continue to take primary responsibility for cyber risk in the majority (55.5 percent) of organizations, while the board takes primary responsibility for cyber risks in less than one fifth (19.4%) of the organizations surveyed.
Marsh also found that while the majority (52.8 percent) of firms surveyed have or are seeking to buy cyber insurance in the next 12 months, only 11 percent currently have policies in place.
“Cyber risk management should be at the heart of the strategic decision-making process. Only with board-level support can companies take the big strides needed to advance their knowledge and perform the financial modelling required, to judge the value of the risk transfer options available on the market,” said Wares.
Marsh’s findings are based on research among risk managers and chief financial officers from more than 100 large and medium sized UK firms, including financial services, manufacturing, retail, healthcare and energy/utility companies.
Marsh’s latest research follows the publication of a report in March by HM Government and Marsh, UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, which unveiled a series of initiatives between government and the insurance industry to help firms manage cyber risk more effectively.