Board- level ownership of cyber risk rising, but UK firms still failing to fully assess threats according to Marsh report

Despite increasing levels of boardroom ownership, many UK firms are still failing to estimate the financial impact of a cyber-attack or assess their suppliers and customers for cyber risk, according to research by Marsh, a global leader in insurance broking and risk management.

Marsh’s UK Cyber Risk Survey Report 2016 found that board-level ownership of cyber risk among the UK businesses surveyed has increased from 19% in 2015 to 30% this year. Levels of understanding have also increased compared to 2015, with 83% of respondents saying they have a basic or complete understanding of their company’s cyber exposure, compared to 61% last year. IT departments remain responsible for the review and management of cyber risks in the majority (55%) of firms.

However, Marsh found that only 26% of respondents believe that their organisation’s supply chains are assessed for cyber risks, up slightly from 22% in 2015, despite this being a known source of breach. Furthermore, just 35% of respondents’ organisations have been asked to demonstrate a competent standard of IT security practices by their bank and/or customers in order to do business with them.

Mark Weil, CEO, Marsh UK & Ireland, said: “This increase in board-level ownership and control suggests that the recent series of high-profile cyber incidents has resulted in UK organisations recognising that cyber threats are serious. We also welcome the growing take-up of cyber insurance as a way for boards to verify in the risk market that their security measures are effective. The gaps in assessing supplier risk and quantifying the scale of cyber threat suggest that there is still plenty to do.”

According to Marsh’s research, 29% of respondents have bought, or are in the process of buying, cyber insurance cover, while an additional 26% are currently engaging with the insurance market and are seeking quotations for cyber insurance.

Marsh’s findings are based on research among risk and finance professionals from large and medium sized firms across the UK. The research follows the publication of a report in May by Marsh and TheCityUK, Cyber and the City, which set out ways in which the UK financial and professional services sector can become more resilient to cyber-attacks.