View this article online: https://www.insurancejournal.com/news/international/2021/04/19/610514.htm

Cyber Attacks on the Rise for Businesses, Pushing Many to the Brink: Hiscox

The proportion of businesses targeted by cyber criminals in the past year increased from 38% to 43%, with over a quarter of those targeted (28%) experiencing five attacks or more, according to the Hiscox Cyber Readiness Report 2021.

Those attacks are pushing many firms to the brink, with one in six businesses attacked (17%) saying the financial impact materially threatened the company’s future.

These are among the findings of a survey of 6,042 companies in the U.S., UK, Belgium, France, Germany, Spain, the Netherlands and Ireland. Now in its fifth year, the Hiscox Cyber Readiness Report 2021 surveyed a representative sample of organizations.

On a more positive note, the report shows firms are responding to the cyber challenge: mean spending per business on cyber security has more than doubled in the last two years.

The report emphasized that there was a wide range of financial costs for cyber attacks, with smaller firms suffering the largest losses relative to size of business. For micro firms with under 10 employees, the median cost was $8,000.

However, 5% of the companies surveyed, which had experienced cyber attacks, suffered costs of $300,000 or more.

“One German business services firm experienced breaches costing the equivalent of $474,000 per employee,” the report said.

“One of the big takeaways of this report is the worrying range of financial impacts that cyber attacks can have,” commented Gareth Wharton, Hiscox Cyber CEO.

“The risk of inaction is that the next attack could be enough to sink the business,” he added. “Cyber is a complex problem but that does not mean it is unmanageable. With good risk management and appropriate cyber insurance, firms can contain the impact of an attack and limit the damage.”

The report contains a new cyber readiness model that gauges firms’ strengths in six key cyber security areas across people, process and technology. It is designed to be interactive, allowing businesses to check and compare their cyber maturity with their peers, draw on best practice in each area, and develop cyber resilience, said Hiscox.

Scoring survey respondents against the readiness model highlighted the number of firms lacking true cyber resilience, noted the report. For example, only one in five (20%) qualified as an “expert,” while more than a quarter (27%) were classed as novices.

Other key findings from the report include:

• Ransomware now commonplace. Around one in six firms (16%) was targeted with ransomware and more than half (58%) paid the ransom. In the U.S., the proportion paying a ransom was 71%. The costs of recovery from a ransomware attack were typically almost as high as any ransom paid (making up an average 45% of overall cost). Phishing emails were the main way in for the ransomware extortionists, with smaller companies more at risk. Some 74% of firms with fewer than 10 employees, targeted with ransomware, blamed phishing as the point of entry, compared to 65% of the biggest firms surveyed.
• Cyber security spending doubles. The average firm now devotes more than a fifth (21%) of its IT budget to cyber security – an increase of 63% in a year. Mean spending per firm on cyber has more than doubled in two years – from $1.45 million to $3.25 million. German firms are the biggest spenders at an average of $5.5 million. Belgian firms spend the least ($1.9 million on average).
• Three key sectors targeted. These were technology, media and telecoms (56%), financial services (55%) and energy (54%). The percentage of firms targeted in each of these sectors was typically up from 44%, 44%, and 40% respectively in 2020.
• Insurance take-up still patchy. Adoption of standalone cyber cover crept up from 26% of firms to 27% over the year. Take-up was highest among large companies and those ranked as “experts.” Small firms remain resistant to insurance: nearly half (44%) of those with under 10 employees said they had no intention of buying insurance cover.
• More big firms on firing line. As past surveys have noted, the probability of being targeted rises sharply according to size of firm. This year there was a much steeper curve – from 23% for the smallest to 61% for enterprise firms (those with 1,000-plus employees). This compares to last year’s report when equivalent figures were 31% for the smallest and 51% for enterprise firms.
• German firms hardest hit. German businesses accounted for more than a third of total losses across the entire study group at $48 million. They also topped the table for the median cost of all attacks ($23,700) and the largest single attack ($5.1 million).
• Experts fared better. Firms that qualified as “experts” in Hiscox’s cyber readiness model suffered fewer ransomware attacks, were less likely to pay the ransom and recovered more quickly. The U.S. had the highest proportion of cyber experts (25%) and one of the lowest median costs of attacks. The UK ranked second, with 23% of firms ranked as experts. UK firms were least likely to have had a cyber attack (just 36%) and most likely to have defended it successfully.

About the study

The fifth annual Hiscox Cyber Readiness Report was compiled in collaboration with Forrester Consulting. It is based on a survey of executives, departmental heads, IT managers and other key professionals. In total 6,042 professionals involved in their organisation’s cyber security effort were contacted (1,000-plus each from the UK, U.S., France and Germany, more than 500 each from Belgium, Spain, and the Netherlands and 300 from Ireland). Respondents completed the online survey between Nov. 5, 2020 and Jan. 8, 2021.