More than one-third of risk professionals throughout Africa, Europe and the Middle East have experienced a material or significantly disruptive loss relating to a data breach or security exploit in the past 24 months, with the average financial impact of these incidents in the region of $2,1-million. The most common EMEA cyber incident was an attack that caused disruption to business and IT operations, according to Aon Risk Solutions in a research report undertaken during March 2015 in partnership with The Ponemon Institute, surveying 545 risk professionals across 15 countries in the EMEA.
“Within the next five years, Cisco estimates there to be 50-billion Internet-connected devices in the world by 2020,” says Kerry Curtin, manager: financial institutions & professional risks at Aon South Africa. “The transformation of the world’s economies from historical tangible products and manual labour services to reliance on technology and information assets is rapid and severe.
“Cloud computing, mobile devices, social media, big data analytics and the explosion of the Internet of Things have driven this digital transformation, and at the same time the inherent and very real risks. In conducting this report, Aon wanted to understand how organisations qualify and quantify the impact of cyber-related assets. This particular survey focused on the relative financial statement impact of cyber incidents compared to tangible asset vulnerabilities.”
Aon sponsored the report to help business get a better understanding of the relative financial statement impact of tangible property and network risk exposures, assisting organisations in allocating resources and determining the appropriate amount of risk transfer (insurance) resources needed. All respondents were familiar with the cyber risks facing their companies.
In the context of this research, cyber risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems. Network risk exposures can broadly include breach of privacy and security of personally identifiable information, stealing an organisation’s intellectual property, confiscating online bank accounts, creating and distributing viruses on computers, posting confidential business information on the Internet, robotic malfunctions, and disrupting a country’s critical national infrastructure.
Despite the comparability of the average potential loss to information assets of $617-million and property, plant & equipment (PPE) of $648-million, the percentages of insurance coverage between respondents differs dramatically.
The findings clearly show that information assets are either not insured or underinsured against theft or destruction based on the value, probable maximum loss and likelihood of an incident occurring, even though probable maximum loss could exceed $200-million. The disclosure or reporting of a material loss of PP&E and information assets also differs between respondents. Only 50% of respondents say their company would disclose the loss of PP&E in its financial statements as a footnote disclosure. However, 34% of respondents say a material loss to information assets does not require disclosure.
Despite the serious risk, companies are reluctant to purchase cyber insurance coverage. Fifty-two percent of respondents believe their companies’ exposure to cyber risk will increase over the next 24 months.
However, only 19% of respondents say their company has cyber insurance coverage in the first place, even though 37% of companies in this study experienced a material or significantly disruptive security exploit or data breach one or more times during the past two years and the average economic impact was $2,1-million.
“In today’s technology-driven environment, enterprise risk management issues are rapidly growing with the increased use of information assets and technology and present an ever-increasing exposure to business,” says Curtin. “And yet, despite this, far too many organisations remain seriously underinsured in respect of cyber risks where the quantum for a catastrophic attack or exploit could exceed $200-million.
“This could put many organisations out of business and devastate their brand reputations and trustworthiness in the eyes of the consumer, taking years to recover, if at all. In this regard, consulting with a professional risk advisor is an invaluable exercise in protecting your reputation, data, clients and bottom line.”