Boards failing to take ownership of cyber risks

Published: Friday, 03 April 2015 15:09

Despite growing levels of awareness and understanding of cyber risk among large and medium-sized corporations across the UK and Ireland, board-level ownership of the issue remains comparatively low with many firms relying on their IT departments for the strategic direction of their cyber risk strategies.

According to the Marsh Risk Management Research, UK & Ireland 2014 Cyber Risk Survey Report, cyber risk now features prominently on the corporate risk registers of organizations across the UK and Ireland, with one quarter (24 percent) of respondents placing it in the top five risks they face and over half (56 percent) placing it in their top ten.

However, Marsh’s research found that cyber risk is managed and reviewed at board level in just 20 percent of respondents’ organizations with 57 percent of respondents stating that the overall responsibility for the assessment and management of cyber risk lies with their IT departments.

Stephen Wares, Cyber Risk Practice Leader, Europe, the Middle East and Africa (EMEA), Marsh, commented: “For those organizations that cited the board as the primary risk owner, there is recognition within these businesses of the potentially catastrophic impact that cyber risk may have on their revenues and reputations.

“Increased board-level ownership will accelerate efforts to understand how cyber risk affects organizational risk profiles, and will foster the adoption of more sophisticated risk mitigation measures. It will also improve the ability of companies to secure correctly targeted insurance protection at attractive premiums, should they decide to transfer some of the risk to the insurance market.”

Although only 32 percent of respondents stated that their organization has assessed the estimated financial impact of a cyber attack, more than half of those surveyed plan to buy or seek quotations for cyber insurance within the next 12 months.

“Marsh’s data suggests a significant rush to market in the next 12 months, representing a considerable increase in active engagement with this class of insurance. Nearly twenty years after the first cyber policies were offered, cyber insurance has finally come of age and is now recognised by prospective buyers as delivering valued protection,” said Mr Wares.

Obtain the UK & Ireland 2014 Cyber Risk Survey Report.