Cybersecurity risks better understood but planning remains poor, says report

Board-level 'ownership' of cybersecurity has increased by more than 50% from 19.4% in 2015 to 30.3% this year, Marsh said.

"This would suggest that, as high-profile events, government initiatives, and legislation have pushed cyber[security] to the top of boards’ agendas, they are increasingly taking ownership of the risk, further illustrating that cyber[security] has increasingly evolved into a business risk as opposed to a technical matter," Marsh said in its annual cybersecurity report.

Overall levels of understanding around cyber risk have also increased compared to last year, with 83.8% of respondents having a basic or complete understanding of their company’s exposure to cyber risk compared to 60.8% last year, Marsh said.

However, many are failing to take the necessary next steps, such as setting up cross-disciplinary groups to identify the real risk they face and the potential financial cost, the report said. IT remains responsible for the review and management of cybersecurity risk in 55% of organisations.

External suppliers are a major weak spot for many businesses, with only 26.5% of supply chains assessed for risk, Marsh found. Correspondingly, only 35.5% of respondents said they had been asked to demonstrate good practice by their own banks or customers.

Just over half of respondents, or 55.9%, have bought cybersecurity insurance or are "engaged with the insurance market", the report said.

"Awareness of cyber risk has clearly increased from when we carried out this same survey of UK companies last year," the report said, but "increasing awareness is just part of the task facing UK organisations… there is still a great deal of work to be done to improve understanding and management of cyber risk."

Alan Sheeley, a civil fraud and asset recovery specialist at Pinsent Masons, the law firm behind Out-Law.com said: "Companies often take two or three weeks to react after they become aware of a cyber attack, when they really have to act immediately."

"As soon as an attack happens the board should contact experts who have the knowledge and expertise to preserve data and identify the fraudsters. The company has to understand how the attack happened, and build adequate defences to stop it happening again. Often the board just instructs the IT department to look at the issue, but most IT departments do not have the skills to preserve the data, or to truly understand how the hack has happened," Sheeley said.

"Successful attacks must be taken seriously and responded to appropriately, especially if the attack has resulted in data or monies being transferred to the fraudster," he said.

"Boards need to put an action plan in place, setting out which experts to instruct if an attack is successful, especially if data is going to be preserved. That preservation will maximise the chances of civil fraud solicitors recovering the monies that have been stolen and will help any police investigation. Civil fraud solicitors are experts in crisis management and preserving the evidence trail, and should be able to use the evidence in the civil courts to obtain disclosure orders and potentially search and seize or freezing orders. This will maximise the chances of understanding how the attack happened, who is behind it and retrieving any financial loss if appropriate," Sheeley said.

The report also found that concern about reputational loss increased from 8.4% in 2015 to 13.2%, overtaking concern about crime/fraud.

"This is no doubt as a result of recent high-profile cyber events having had a huge impact on brand and reputational value," Marsh said.

However, the main risk remains a "breach of data", said Sheeley.

"That is not surprising, given that the general data regulation will come into force across Europe on 24 May 2018. After that date companies will be liable for a €20 million fine, or 4% of their turnover, for data breaches," he said.