The world Economic Forum ranks cyber-attacks as a top-five risk in terms of combined likelihood and impact worldwide.
But while MinterEllison’s Perspectives on Cyber Risk report shows there is significant awareness of, and concern about, cyber risk among its survey respondents, that isn’t reflected in practical measures being adopted to mitigate the risk.
One survey was distributed to company chairmen, directors and CEOs (Board Survey) and a second to CIOs, general counsel and other risk-related managers (CIO Survey). Among board members, 60% saw cyber risk as being more of a risk than it was 12 months ago; 54% ranked it as a medium risk (that is, outside the top five risks); and a further 29% ranked it as a high risk.
Nearly 40% of CIOs reported a cyber-attack compromising their organisations’ systems or data in the past 12 months, and 8% reported more than five attacks.
The risk is real
A majority (58%) also indicated that their organisations were spending more on IT security than they were 12 months ago.
A majority of respondents to both the Board Survey and CIO Survey considered that their organisations had an adequate or detailed understanding of their exposure to the risk of cyber-attacks, while 58% of CIO Survey respondents reported being ‘somewhat satisfied’ or ‘very satisfied’ with their organisations’ current capability to prevent and respond to cyber-attacks.
Where does cyber risk rank on your organisation’s corporate risk register? (Board survey)
Insurance not embraced
Only 25% of respondents confirmed their organisation held specialist cyber risk insurance. A further 32% were unsure of whether cyber risk was addressed in their existing insurance arrangements.
Does your organisation have cyber risk insurance?
Enterprise-wide challenge
While the IT department is viewed by 59% of respondents to the Board Survey as having principal responsibility for cyber risk management, compliance and review activities, the qualitative responses to the CIO Survey suggest that organisations are increasingly treating cyber risk as an enterprise-wide challenge.
Who in your organisation is principally responsible for its cyber risk management, compliance and review activities?
Source: Perspectives on Cyber Risk, January 2016, MinterEllison
How many times has your organisation been subject to a cyber-attack in the past 12 months that has compromised its systems or data? (CIO survey)
What level of understanding does your organisation have of its exposure to the risk of cyber-attack? (CIO survey)
To what extent do you consider that the board is adequately informed of, and kept appraised of, cyber risk issues? (Board survey)
Source: Perspectives on Cyber Risk, January 2016, MinterEllison
Satisfaction guaranteed?
Despite apparent satisfaction, over half (58%) of respondents to the CIO Survey were either unsure as to whether, or were not satisfied that, their organisation’s systems or data were appropriately segmented to mitigate the risk of a cyber-attack.
Source: Perspectives on Cyber Risk, January 2016, MinterEllison
Supply chain risk
Only 28% of respondents to the CIO Survey reported that they regularly audited their suppliers’ IT security practices. Similarly, only 20% of respondents indicated that they regularly audited their customers’ IT security practices.
Does your organisation regularly audit your suppliers’ IT security practices (at least annually)?
Source: Perspectives on Cyber Risk, January 2016, MinterEllison