Cyber-attacks on the rise for businesses but insurance take-up still patchy - Hiscox

The proportion of businesses targeted by cyber criminals increased from 38 percent to 43 percent in the past year, with over a quarter of those targeted (28 percent) experiencing five attacks or more, according to the Hiscox Cyber Readiness report 2021.

The report found that cyber-attacks are pushing many firms to the brink, with one in six businesses attacked (17 percent) saying the financial impact materially threatened the company’s future.

Nevertheless, insurance take-up is still patchy: adoption of standalone cyber cover crept up from 26 percent of firms to 27 percent over the year. Take-up was highest among large companies and those ranked as “experts” in Hiscox’s cyber readiness model. Small firms remain resistant to insurance: nearly half (44 percent) of those with under ten employees said they had no intention of buying insurance cover. However, evidence elsewhere in the report shows that small firms are vulnerable to phishing attacks and credential theft.

These are among the findings of a study of 6,042 companies across eight countries, commissioned by specialist insurer Hiscox. Encouragingly, the report shows firms are responding to the cyber challenge: mean spending per business on cyber security has more than doubled in the last two years.

Now in its fifth year, the Hiscox Cyber Readiness Report surveyed a representative sample of organisations in the US, UK, Belgium, France, Germany, Spain, the Netherlands and Ireland.

The centrepiece of the report is a new cyber readiness model that gauges firms’ strengths in six key cyber security areas across people, process and technology. It is designed to be interactive, allowing businesses to check and compare their cyber maturity with their peers, draw on best practice in each area, and develop cyber resilience.

Scoring survey respondents against the readiness model highlighted the number of firms lacking true cyber resilience. One in five (20 percent) qualified as an “expert”, and more than a quarter (27 percent) were classed as novices.

This year’s report is notable for the range and unpredictability of cyber-attack costs. For micro firms with under ten employees the median cost was $8,000. But 5 percent of those attacked suffered costs of $300,000 or more. There was a similarly broad range of outcomes for medium, large and enterprise firms.

Around one in every six firms attacked (16 percent) was targeted with ransomware and more than half (58 percent) paid up. In the US, the proportion paying a ransom was 71 percent. The costs of recovery from a ransomware attack were typically almost as high as any ransom paid (making up an average 45 percent of overall cost). Phishing emails were the main way in for the extortionists, with small companies particularly likely to succumb.

Firms that qualified as experts in Hiscox’s cyber readiness model suffered fewer ransomware attacks, were less likely to pay up and recovered more quickly. The US had the highest proportion of cyber experts (25 percent) and one of the lowest median costs of attacks. The UK ranked second, with 23 percent of firms ranked as experts. UK firms were least likely to have had a cyber-attack (just 36 percent) and most likely to have defended it successfully.

The report found that the average firm now devotes more than a fifth (21 percent) of its IT budget to cyber security–an increase of 63 percent in a year. Mean spending per firm on cyber has more than doubled in two years–from $1.45 million to $3.25 million. German firms are the biggest spenders at an average of $5.5 million. Belgian firms spend the least ($1.9 million on average).

Gareth Wharton, Hiscox Cyber CEO, said: “One of the big takeaways of this report is the worrying range of financial impacts that cyber- attacks can have. The risk of inaction is that the next attack could be enough to sink the business. Cyber is a complex problem but that does not mean it is unmanageable. With good risk management and appropriate cyber insurance, firms can contain the impact of an attack and limit the damage.”

The study also reveals a gulf in perception on Covid-19 dangers: less than half (47 percent) of firms said they had become more vulnerable to cyber-attack since the onset of the pandemic, though two-thirds of large and enterprise firms (67 percent and 68 percent respectively) said they had reinforced their cyber defences to deal with home-working. But small firms are lagging - only 35 percent of those with under ten employees said they had done the same.

German businesses were the hardest hit, accounting for more than a third of total losses across the entire study group at $48 million. They also topped the table for the median cost of all attacks ($23,700) and the largest single attack ($5.1 million).
The report found that the three key sectors targeted were technology, media and telecoms (56 percent), financial services (55 percent) and energy (54 percent). The percentage of firms targeted in each of these sectors was typically up from 44 percent, 44 percent, and 40 percent respectively in 2020.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.