Cyber and IT risks top concerns of senior execs: Marsh

Business executive consider cyber and IT-related risks to be the most likely to occur and have the greatest potential impact on their operations, according to a new study by insurance broker Marsh and the Disaster Recovery Institute International (DRII).

The 2015 International Business Resiliency Survey, surveyed nearly 200 senior executives, risk professionals and business continuity managers from large and medium-sized corporations internationally about their organisations’ attitudes toward business risks and the risk mitigation processes they have in place.

Results indicate organisations are better positioned to address traditional than non-traditional risks and that risk managers and chief executive officers (CEO) have different perceptions about the severity and control measures in place for various risks facing their organisations.

Among 10 suggested risk scenarios, the top risks in terms of impact and likelihood are: reputational damage from a sensitive data breach (impact 79 percent - likelihood 79 percent); the failure in a main IT data centre (59 percent – 77 percent); and online services being unavailable due to a cyber attack (58 percent- 77 percent). The risks with the lowest potential impact originate from a product recall event (15 percent – 21 percent).

CEOs overestimate their levels of protection for the most likely and high-impact risks, according to the survey, with 28 percent saying they have dedicated insurance coverage against cyber attacks and 21 percent claiming they have dedicated insurance protection for reputation damage after a data breach. However, only 6 percent of risk managers said that they have dedicated coverage for these risks.

“Product innovations in speciality insurance such as cyber make this a good time for organisations to revisit their coverage to make sure that it is properly nuanced to meet the unique needs of their industry and the corporation’s business goals,” said David Batchelor, president of Marsh’s international division.

“Additionally, having a well thought out crisis management plan is a critical element in protecting an organisation’s reputation.”

Three quarters of respondents considered the failure of IT system as one of two areas that could have the greatest impact on their organisation’s reputation, along with the lack of crisis management planning. Both CEOs and risk managers identified IT system failure prevention (29 percent) as the most important area to invest in, with CEOs also highlighting intellectual property protection (25 percent). However, CEOs placed far less importance on the resiliency of IT systems (60 percent) in relation to reputation management.

The majority of organisations believe they are better positioned to deal with traditional than non-traditional risks: respondents rated the level of resilience of their organisations to be high for natural catastrophes and IT system failure (40 percent and 44 percent respectively), and low for political violence and an activist group attack on social media (both 32 percent).