Many business issues keep CEOs and CFOs up at night, but none may be more prevalent or critical than cyber security.
While bigger companies typically make the headlines when a breach is discovered, smaller firms are also the target of increasingly sophisticated assaults from hackers around the world.
The good news from Marsh & McLennan Agency’s 2018 cyber risk report is that C-suite and other senior executives of small- to -midsize organizations say they are ready and quite capable of dealing with or thwarting a cyberattack.
However, the findings also suggest that many may be overconfident, and key elements of their response plan may be lacking.
In MMA’s survey of more than 1,100 executives across North America, most said they understand the risks facing their organizations and the magnitude of the challenge.
- 78% said they were highly or at least fairly confident that their organization would be able to manage and respond to a cyber attack.
- 82% said they were highly or at least fairly confident that their organization would be able to understand and assess a cyber-attack.
- 60% said cyber security is one of the top five risks facing their business.
But awareness of the risk doesn’t necessarily translate into concrete steps to actively manage it. The findings raise questions about whether C-suite executives and their team members are taking on more cyber risk than they realize.
- Only 18% said their organizations have developed a cyber incident response plan. A common theme in the findings is the gap between understanding the risk of a cyber breach and having a plan in place to manage an incident.
- Less than 40% of participants have performed gap assessments, phishing training, or penetration testing. These security practices are becoming more common and affordable. Some vendors and insurance policies include these services.
- 17% are not confident of their organization’s ability to manage, respond, and recover from a cyber incident. However, organizations that took preventative measures were more confident in their ability to handle an attack.
- 36% don’t know what their organization is doing about cyber insurance. Of the 36% of respondents that have cyber insurance, none planned to discontinue their coverage.
MINIMIZING THE IMPACT WITH CYBER INSURANCE
Even well prepared organizations experience breaches
Thus far in 2018, the 10 largest breaches resulted in the unauthorized disclosure of more than 1.7 billion records. One of the breaches alone involved more than 1.1 billion records.
When breaches of this magnitude occur, insurance can reduce the accelerating costs of a cyber breach. According to the Ponenom Institute, which tracks cyber breaches, the global average cost of a data breach in 2018 reached $3.86 million, up 6.4 percent from a year ago.
Specialty Cyber/Data Liability (Cyber) policies will cover most of the costs of a data breach. Because each insurer writes these policies differently, the quality of coverage can vary dramatically. An insurance broker with cyber expertise can be an invaluable partner in evaluating the options.
The following outlines the major types of cyber coverage.
Privacy liability: Covers unauthorized access or disclosure of both private-personal and business-confidential information
Media and content liability: Covers infringement of copyright and trademark, as well as personal injuries like libel and slander
Network-security liability: Covers damages to others if your systems are hijacked, penetrated, or infected
Regulatory action: Covers legal expenses incurred for defense against regulators and also pays privacy fines where permitted
Network interruption: Pays net profits during a period of interruption–after a 12-hour waiting period–for logical attack, such as DDOS, virus, and hacks.
Cyber extortion: Pays should criminals hold your systems hostage or seek to monetize a breach via ransom
When a breach occurs, there are a wide range of expenses. Cyber coverage can cover the following:
- First-party costs to limit losses, comply with privacy laws, or to prevent resulting lawsuits
- Conducting a forensic investigation to determine the cause of a security or privacy event
- Notifying potential victims: printing, mailing, advertising, phone-bank support
- Expenses-related to PR, crisis management, or law firms to minimize damage and increase trust
- Identity-theft education, credit-file monitoring or identity restoration services
- Required breach-response service at the insurer’s discretion
While C-suite executives have a greater awareness of cyber risk and are purchasing cyber insurance, there is a continuing disconnect between cybersecurity concerns and taking steps to prevent or mitigate a cyber-attack.
Without a proper plan, there could be major consequences for a small- to mid-size organization.
With offices in Los Angeles and across California, Marsh & McLennan Agency helps organizations manage cyber risk. MMA can put together a comprehensive risk assessment for your organization and has access to leading providers of cyber insurance. Download Marsh & McLennan Agency’s 2018 Survey on Cyber Risk at www.MMA-West.com/Cyber-Report.
Mike Grant is a Principal at Marsh & McLennan Agency in the Business Insurance division. With over 20 years of experience in the insurance industry, Mike crafts comprehensive risk management programs for his clients and specializes in cyber and data liability.