Cyber and IT-related risks top the list of what keeps CEOs and risk managers awake at night, according to the 2015 International Business Resiliency Survey, conducted by Marsh and Disaster Recovery Institute International (DRII)*.
“Cyber and other IT-related risks are considered to be the most likely to occur and those with the potential to cause the greatest impact,” said the survey, noting that these two risks also are identified as key to business goals and reputation management.
Worryingly, the survey found that risk managers, risk owners and CEOs “all have different perceptions about the severity of the risk scenarios affecting their organizations and the adequacy of the control measures in place.”
Among 10 suggested risk scenarios in the survey, the top risks that were identified by respondents in terms of impact and likelihood are:
- reputational damage from a sensitive data breach (impact is 79 percent; likelihood is 79 percent);
- the failure in a main IT data center (impact 59 percent; likelihood 77 percent);
- online services being unavailable due to a cyber attack (impact 58 percent; likelihood 77 percent).
The survey found that the risks with the lowest potential impact originate from a product recall event (impact 15 percent; likelihood 21 percent).
Respondents appear to be more comfortable with traditional risks, such as business interruption and political risk, which received the lowest percentage of responses in terms of likelihood and impact. However, this is not the case for non-traditional risks, “with cyber in particular giving risk managers and CEOs the greatest cause for concern,” the survey found.
The level of resilience of their organizations was considered to be high for natural catastrophes and IT system failure (40 percent and 44 percent, respectively), and low for political violence and an activist group attack on social media (both 32 percent), the survey found.
Inadequate Insurance Protection?
Despite these risks, the survey revealed that CEOs overestimate their levels of insurance protection for the most likely and high-impact risks.
For example, 28 percent of CEOs respondents thought they have dedicated insurance coverage against cyber attacks, while 21 percent believed they have protection for reputation damage after a data breach. However, only 6 percent of risk managers stated they have dedicated coverage for these two risks.
When asked about the least likely risk scenario to affect their organizations, 82 percent of risk managers mentioned local regulations; conversely, 77 percent of CEOs said this was one of the risks most likely to happen. The survey said this finding reveals another area of disconnect between CEO and risk manager perceptions.
IT Systems Crucial to Reputation
Three out of four respondents considered the failure of IT systems as one of two areas that could have the greatest impact on their organization’s reputation, along with the lack of crisis management planning, the survey found. Both CEOs and risk managers identified IT system failure prevention (29 percent) as the most important area to invest in, with CEOs also highlighting intellectual property protection (25 percent).
“It is interesting to note that CEOs place less importance on the resiliency of IT systems in relation to reputation management, while giving greater attention to crisis management planning,” the report said.
Business Continuity Planning Essential
As a result of the survey’s findings, Marsh recommended that organizations review existing business continuity and crisis management frameworks to ensure they are properly addressing traditional and emerging risks, in particular, data breach scenarios and the resilience of IT systems.
Specifically addressing cyber risks, Marsh said, companies should undertake a comprehensive review of their cyber exposures. “The availability of a cyber crisis management plan is of paramount importance to secure organizations’ reputations.”
Marsh suggested that a cyber risk control strategy should be designed for the entire organization and should be led by a cross-functional cyber risk committee.
“In addition, firms should undertake a comprehensive review of the dependencies of critical services and processes from information systems and IT technologies,” said the report accompanying the survey results.
As respondents’ organizations appear to be better prepared against traditional risks, which have greater levels of insurance cover than non-traditional risks, David Batchelor, president of Marsh’s International Division, recommended that organizations revisit coverage options.
“Product innovations in specialty insurance such as cyber make this a good time for organizations to revisit their coverage to make sure that it is properly nuanced to meet the unique needs of their industry and the corporation’s business goals,” said Batchelor.
* Marsh, in collaboration with DRII, surveyed nearly 200 C-suite executives, risk professionals and business continuity managers from large and medium-sized corporations internationally about their organizations’ attitudes toward business risks and the risk mitigation processes they have in place.
Source: Marsh