To many multinational corporations, the findings of the recent Marsh-Microsoft 2019 Global Cyber Risk Perception Survey have provided a fruitful lesson in the value of knowing what you don’t know. Yet, despite the global trajectory of declining confidence in organisations’ ability to assess, manage and mitigate cyber risk, UK companies have rapidly increased in confidence in these areas since 2017.
Since that year, globally, there has been a 100% increase in the number of firms saying they have “no confidence for understanding and assessing cyber risks”. This rapid decline of global confidence in critical areas of cyber resilience highlights a growing concern surrounding cyber risk.
Sarah Stephens, UK cyber, media and technology leader at Marsh JLT Specialty, highlighted how an influx of available information regarding cybercrime is likely responsible for this change. However, Stephens said there is a positive element to this decreased confidence, with its implication of increasing awareness in this area, thus stimulating discourse on how best to manage the risk.
Organisations in the UK and Ireland, however, have subverted this trend with 32% of firms queried saying that they are confident they can understand and manage cyber risk. Twenty per cent (20%) of these firms now say that they believe they can mitigate and prevent cyberattacks - an increase of 16% from 2017. Finally, 26% of these surveyed companies state they are confident that they can manage and respond to cyberattacks.
Across every critical area of cyber reliance, UK companies have an increased confidence in their capacity to respond, mitigate and manage this risk.
This is not to say that there is a reduced understanding of the full implications of cyber risk in the UK. From 2017 to 2019, the percentage of companies ranking cyber risk among their top five concerns has increased from 58 to 72. Cyber threats and attacks are now ranked alongside the major risk factors of brand damage, economic uncertainty and supply chain disruption for UK companies.
In the UK, as in the global market, there is more understanding than ever before of the need to manage cyber risk. Reflecting on cyber risk’s inclusion among the major threats facing companies, Jano Bermudes, head of cyber risk consulting, UK & Ireland, at Marsh, said: “As companies go down the digital transformation route, all the major risk factors of an organisation tend to become inter-related.”
This digital transformation challenge is one the UK insurance market has eagerly risen to accept, and Bermudes outlined how cyber and digital transformation represent a huge opportunity for growth to UK companies.
“In the UK, there is a view that there is an opportunity to create a digital economy or to lead in a number of areas, and I think that is driving optimism,” he said.
The UK is aware of the instrumental role it can potentially play in the digital transformation of industry and is responding to this by implementing cyber risk solutions. These solutions include the essential step of expanding the ownership of cyber risk within an organisation.
Stephens outlined how both UK and Irish organisations have embraced a multidisciplinary approach to this problem with a “sharp increase in risk management and legal and compliance getting involved in the conversation.”
Bermudes agrees that this is essential, and that a problem shared between disciplines in an organisation is a problem better challenged.
“What legal and risk represent to IT is a second line of defence,” he said.
Bermudes also attributes the confidence of UK companies in their capacity to manage cyber risk as a reflection of the work that has been done in the UK market to mitigate this risk, and the early perception of the full scale of this issue by companies and by regulators. Stephens and Bermudes both agree that there is, however, significant work to be done to improve engagement among board members.
Despite the UK’s cyber confidence outstripping that of its global counterparts, cyber remains a complex risk area which requires careful consideration and management.
“Only 32% of firms think they can even begin to understand their risk, that is shockingly worrying,” said Stephens.
The future does look bright, however, with Stephens stating that over 60% of FTSE 100 companies already possess cyber insurance, a figure which is expected to accelerate as a multi-disciplinary approach encourages engagement with cyber risk within the UK.