25% of large UK firms concerned about their crisis resilience according Arthur J. Gallagher research

  • Gallagher research into large companies’ preparedness against security crises finds 24% concerned or unsure about their resilience
  • Cyber extortion & terrorism top two threats experienced in past two years — with 51% believing their business to be at high risk of cyberattack in next 12 to 18 months
  • Firms warned box-ticking approach to crisis resilience can create a false sense of security and undermine their ability to anticipate, prevent, respond and recover

Large UK companies — in the FTSE 350 or with a market cap of £500m or more — are increasingly aware of the fast-evolving security threats they face, with businesses bracing themselves for an increased likelihood of direct impact from crises such as terrorism or cyber extortion, according to new research findings by YouGov commissioned by Arthur J. Gallagher.

Two in five (40%) large UK companies surveyed have experienced a security threat in the past two years – extortion being the most common, experienced by 38% – and more than half expect to face some form of extortion (60%) or specifically cyber extortion (51%) in the next 12 to 18 months. Meanwhile 8% of large UK company respondents had faced a terrorism incident in the past 24 months, with this number rising to 22% when asked whether they felt their company to be at risk of terrorism in the next 12 to 18 months.*

However, despite the majority of firms surveyed by YouGov having invested in tools such as security, insurance and business continuity, disaster recovery or crisis management planning to mitigate and manage the impact of these fast-evolving security threats, nearly a quarter (24%) are concerned or unsure about their resilience levels.

The Gallagher report, Building a culture of resilience: new approaches in a changing threat environment, released today looks at the preparedness of large UK companies to the changing and rising threat environment, their expectations as to the biggest risks they face today and how resilient they believe themselves to be to modern-day crises in the near future.

Most large companies have at least some tools in place to manage the impact of security threats, and 76% feel they are somewhat or very resilient. But taking a siloed, disjointed and box-ticking approach to crisis resilience can lead to a false sense of security, the report states.

Only half of the companies Gallagher surveyed had tested their crisis-response systems in the past six months, despite the fast-changing threats, and two in five have not modelled their exposures to ensure they are truly prepared. Creating an integrated, modelled, and tested resilience culture that cuts across departments strengthens companies’ ability to withstand attacks and is more cost-effective, Gallagher says.

“Building a culture of crisis resilience takes time and effort but the rewards are high”, says Paul Bassett, Managing Director of Gallagher’s Crisis Management practice. “Our research has found the majority of large UK companies – but far from all of them – have invested in the tools necessary to build resilience in the face of rising and amorphous threats such as terrorism, cyberattacks and extortion. But these tools provide a false sense of security if they are not joined up in a comprehensive and cohesive approach that brings together all the key functions needed to play a role in preventing or responding to fast-evolving security threats.

“Only by proactively engaging and coordinating the efforts of risk, HR, security, finance, IT, communications, legal and real estate can a company maximise its ability to successfully anticipate, prevent, respond and recover from today’s heightened risk of threats.”

Justin Priestley, Executive Director of Crisis Management at Gallagher, added: “Crisis management plans must be short, principle-based and genuinely stress-tested to enable rapid decision-making and communication at times when there will be a vacuum of information, panic and pressure from stakeholders on all sides.

“But getting crisis resilience right means the total cost of managing risk will be lower too, since insurance becomes a backstop rather than playing a central role. Comprehensive solutions will bolster confidence among internal and external stakeholders that a company will survive and prosper, regardless of the deepening threat environment.”

* The survey was completed just prior to the ‘WannaCry’ ransomware incident and the Manchester and London terrorism events.