Marsh UK 2015 Cyber Risk Survey Report-06-2015

UK 2015 Cyber RiskSurvey ReportINSIGHTS June 2015

INSIGHTS June 2015CONTENTS1 Introduction2 Work still to be done in terms of awareness/ownership of cyber risk5 Lack of data continues to prevent companiesfrom adequately assessing cyber risk7 Lack of control over suppliers/third partiesa major concern8 Take up of cyber insurance remains low11 Conclusion

INSIGHTS June 2015INTRODUCTIONMarsh has undertaken an in-depth study intoorganisations’ attitudes towards the cyber threat,the management control processes they have in place,and their understanding and use of cyber insuranceas a means of risk transfer. The benchmarking datain this report was collected from risk professionalsand CFOs from large and medium-sized corporationsfrom across the UK. By conducting this study, we hopethat the aggregated information will provide usefulbenchmarking data and reference points against whichthe reader can compare their own company’s positions.BOARDROOMDISCUSSIONSpotlight on cyber riskto UK companies:18%of organisations have a “completeunderstanding” of cyber risk,down on last year.19.4%of UK businesses have board-leveloversight of cyber risk.69.4%of companies do not assess theirsuppliers and/or customersfor cyber risk.UK 2015 Cyber Risk Survey Report 1

INSIGHTS June 2015WORK STILL TO BE DONE IN TERMS OF AWARENESS/OWNERSHIP OF CYBER RISKFIGURE 1To what extent do you believe your organisation has a clear understanding of its exposure to cyber risk?60%50%52.8%40%30%25%20%18%10%4.2%0%No understandingLimited understandingBasic understandingComplete understandingFirms across the UKcontinue to place cyberamong their leading risksin terms of the likelihoodand severity of impact 1 ;however, the findings inFIGURE 1 suggest there isstill a lot of work to do toimprove understandingand management.Interestingly, there has been asubstantial drop in the percentageof respondents who feel theyhave a “complete understanding”compared to last year 2 (down from34% to 18%).This comes at a time when cyber riskis being elevated as a board agendaitem, suggesting that executive-levelinterrogation has exposed a preexistingoverconfidence in the levelof knowledge and understandingwithin certain organisations.If this is the case, then it is clearthose tasked with creating anddelivering critical managementinformation relating to cyber riskneed more help and guidance toget them to a position where thelevel of management informationis adequate.Cyber risk is ranked as a tier onethreat according to the UK NationalSecurity Strategy, and it is thereforesurprising that more than a quarter(26.4%) of UK companies surveyeddo not consider it to be materialenough to even get on the riskregister. Just 16.6% of companiesplace cyber as a top five risk on therisk register, while the remainderplace it outside of the top 10.1Global Risks 2015 (10th Ed.), World Economic Forum, Geneva, 2015.2Comparisons are with the 2014 UK and Ireland Cyber Risks Survey, London, Marsh.2 Marsh

73% risksof respondents from the manufacturing industrysay that cyber risk does not appear in the top 10on their corporate risk registers.INSIGHTS June 2015FIGURE 2Where does cyber risk feature on the corporate risk register?30%29.2%27.8%26.4%25%20%16.6%15%10%5%0%Cyber risk is a top five risk on myorganisation’s risk registerCyber risk is a top 10 risk onmy organisation’s risk registerCyber risk features on the organisation’srisk register, but outside the top 10Not included on therisk registerIn light of the results in FIGURE 2relating to the understanding ofcyber risk, however, these findingsare easier to explain. Employees inthose companies that do not placecyber risk on their risk registers areunlikely to have a decent level ofunderstanding of cyber, since it willnot have received the necessary levelof investigation to move it forward.Nearly three quarters (73%) ofrespondents from the manufacturingindustry say that cyber risk does notappear in the top 10 risks on theircorporate risk registers —the highest proportion of industrysegments we surveyed. This isperhaps understandable due to a lowlevel of high-profile cyber incidentswithin the industry; however,as a key target for industrialespionage, and with instances ofindustrial control technology beingcompromised recently reported 3 ,one could argue that the threat isbeing underestimated.3As disclosed by the German Federal Office of Information Security, which reported “massive damage”to a blast furnace at a steel mill in Die Lage der IT-Sicherheit in Deutschland 2014, available athttps://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf ?__blob=publicationFile.Those taskedwith creating anddelivering criticalmanagementinformationrelating tocyber risk needmore help andguidance to getthem to a positionwhere the levelof managementinformation isadequate.UK 2015 Cyber Risk Survey Report 3

INSIGHTS June 2015FIGURE 3Have you identified one or more cyberscenarios that could mostaffect your organisation?68.1%YESNO31.9%The fact that fewer than onethird (31.9%) of respondentshave identified one or more cyberscenarios that could most affecttheir organisations (see FIGURE 3)correlates with the findings fromFIGURE 1. It suggests that the lackof a complete understanding andabsence/low positioning of cyberon the risk register is, for manycompanies, filtering through toa lack of definition around specificscenarios that might impacttheir businesses.Board-level ownership of cyber riskexists in 19.4% of UK organisations.While this figure is broadly in linewith last year’s findings (20%), itremains very low (see FIGURE 4).Meanwhile, IT departments continueto take primary responsibility forcyber risk in the majority (55.5%)of organisations. Cyber risk isincreasingly recognised as a businessrisk rather than simply a technicalcontrol, and, within this context, it isdisappointing to note that there is nomaterial upwards movement in riskmanagement and board functionsseizing responsibility from IT(the percentage has risenincrementally to 15.3% from 14% in2014). IT departments might knowhow to implement cybersecurity;however, the inability of IT to drivevalue for the organisation or thepotential for significant damage to becaused as a result of a security breach,most certainly is a business risk —the consequences of which willbe felt at the highest levels of theorganisation should it occur.Boards therefore need to takeownership of cyber risk before a cyberevent forces it on to the board agenda,and communicate the identifiedsecurity priorities to IT departmentsso that they can align their activityand resources against the business’srisk management agenda.FIGURE 4Please indicate which of the following potential stakeholders takes primary responsibility for the review and management of cyber risksin your organisation.60%55.5%50%40%30%20%19.4%15.3%10%8.4%0%IT department0.00%Group legalFinance departmentBoardRisk management1.4%Brand management4 Marsh

INSIGHTS June 2015LACK OF DATA CONTINUES TO PREVENT COMPANIESFROM ADEQUATELY ASSESSING CYBER RISKThe percentage of firms that have experienced a cyber-attack in the past 12 months hasrisen to 40.3% (see FIGURE 5), albeit marginally (from 31% in 2014).However, compared with otherstatistics (HM Government’s 2015Information Security Breaches Surveystates that 90% of large organisationsand 74% of small organisations havesuffered a security breach) 4 , this figureis still low, indicating that many of therespondents to this year’s survey areeither particularly fortunate or (morelikely) unaware of breach eventswithin their firms.Interestingly, 100% of respondentsin two industries — communications,media, and technology and energy —reported that they had been subject toa cyber-attack in the past 12 months.This most likely reveals a moreenlightened position of thoseorganisations rather than any highlevel of vulnerability.In terms of organisations that haveconducted or estimated the financialimpact of a cyber-attack, this year’ssurvey results are somewhatcontradictory to earlier findings.As such, it would be reasonable toquestion the rigorousness of thefinancial analysis around thosenumbers and how many are in facthigh-level estimates rather than worstloss values calculated from detailedinformation and knowledge of cyberrisk and individual exposures.The majority (61.1%) of organisationshave not yet made any attempt toestimate/calculate loss estimates(see FIGURE 6), however, suggestingthat they are operating in the darkwhen it comes to the financial impactupon their businesses.FIGURE 5Has your organisation been subject toa cyber-attack in the past 12 months?20.8%38.9%40.3%YESNOINSUFFICIENTKNOWLEDGETO ANSWERFIGURE 6Has your organisation conducted or estimated the financial impact of a cyber-attack? What is the worst loss value?70%60%61.1%50%40%30%20%15.3%13.9%10%4.2%5.5%0%GBP1 millionor belowGBP1 million -GBP2 millionGBP2 million -GBP5 millionGBP5 millionand aboveNo loss estimatesmade42015 Information Security Breaches Survey, UK Department for Business Innovation & Skills, London, 2015.UK 2015 Cyber Risk Survey Report 5

INSIGHTS June 2015FIGURE 7If yes, does your finance function havea plan in place to access sources ofappropriate funding to deliver boththe required amount of funds and beaccessible at the point when it is needed?51.1%YESNO48.9%This puts them in a poor positionto transfer the risk or even toappreciate whether a cyber eventmight threaten the viability of thecompany. Event modelling, combinedwith financial stress testing, isrequired to evaluate both the totalfinancial loss attaching to an eventand the shorter-term availability ofcash to maintain trading.The majority of organisations havenot planned for sources of funding(see FIGURE 7); however, the 48.9%that have is an encouraging number.Since just 11.1% of companies arebuying insurance (see FIGURE 11),it must be the case that companies arebypassing the insurance market andfinding alternative methods to fundthe risk (from available cash lines orlines of credit or assets that can bedisposed of rapidly, for example).Possessing and rehearsing anincident response plan is recognisedas having a very positive effecton the operational, financial, andreputational impact of a cyberattackupon an organisation.The effect for breaches of personaldata was quantified in the PonemonInstitute’s 2015 Cost of Data BreachStudy, which reveals that thosecompanies with an incident responseteam in place typically make aGBP9.50 saving on the per capitacost of a data breach, compared withthe mean per capita cost 5 .FIGURE 8Does your organisation possess an incident response plan for material cyber events?35%30%30.6%26.4%25%20%22.2%20.8%15%10%5%0%Definitely yesNoPartiallyDon’t know52015 Cost of Data Breach Study, Ponemon Institute, London, May 2015.6 Marsh

69.4% theyof respondents do not assessthe suppliers and/or customerstrade with for cyber risk.INSIGHTS June 2015LACK OF CONTROL OVER SUPPLIERS/THIRD PARTIESA MAJOR CONCERNIt is both a surprise and a huge concern that more than two thirds (69.4%) of respondentsto this year’s survey do not assess the suppliers and/or customers they trade with forcyber risk (see FIGURE 9).Suppliers and external organisationswith whom system links areshared present one of the keyvulnerabilities to UK companies.Businesses have done a lot toimprove cybersecurity in the past 12months; however, their exposure tothird parties, whether serviceproviders, product suppliers,customers, or, in the case of banks,borrowers, presents significant risksto companies’ networks. In additionto this, more than half of respondents(51.4%) are not asked to demonstratea competent standard of IT securitypractices to their own bank and/orcustomers in order to do businesswith them.While organisations can controltheir own networks, they have muchless control over those of thesuppliers/third parties that theymight be linked to. Without theappropriate checks, this leaves themexposed and lacking control overstandards of IT security in systemswhere hackers might find a “backdoor” into their organisation.There therefore needs to be animprovement in supply-chainresilience to cyber-attack iforganisations are going to reducethe threat arising from this keyvulnerability. This is especially truefor large organisations with a profilethat attracts highly motivated andsophisticated hackers who mightidentify smaller business partnersthat are typically less well protected.For example, a recent reportpublished by Marsh and the UKFIGURE 9Do you assess suppliers and/orcustomers you trade with forcyber risk?8.4%69.4%22.2%YESNOINSUFFICIENTKNOWLEDGETO ANSWERGovernment highlighted that nearlya quarter (22%) of small businessesadmit they “don’t know where tostart” with cybersecurity 6 .One of the most well-publicisedcyber breaches in recent yearsoccurred at a large US retailcompany after hackers stole networkcredentials from a third-partyheating, ventilating, and airconditioning (HVAC) contractorthat had an IT link with the victim’scorporate systems. Incidents likethese are likely to rise in frequencyuntil organisations place greaterfocus on setting out the basictechnical controls that all suppliers/contractors should have in place.FIGURE 10Has your bank or your customers requiredyou to demonstrate a certain standard of ITsecurity practice in order to do business?51.4%YESNO48.6%More than half ofrespondents arenot asked todemonstrate acompetentstandard of ITsecurity practicesto their own banksand/or customers.6UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, UK Cabinet Office, London,May 2015.UK 2015 Cyber Risk Survey Report 7

INSIGHTS June 2015TAKE UP OF CYBER INSURANCE REMAINS LOWIt is encouraging to find that more than half (52.8%) of respondents’ organisations areengaged with the insurance market in one way or another (see FIGURE 11).Our experience and earlier findings inthis survey suggest that the remainderare not yet ready to approach themarket as they have an incompleteunderstanding of the risk, as opposedto them making a conscious decisionnot to purchase insurance following avalue-based judgment.This latter explanation would tie inwith the earlier finding that 68.1%of organisations have not identifiedone or more cyber scenarios thatcould most affect their organisations(see FIGURE 3). Organisations suchas these — because they have notcarried out the financial assessmentrequired — are in a poor position toapproach the insurance market andplace a value on transferring the risk.The survey data therefore suggeststhat more work needs to be done byorganisations and their professionaladvisers — including their insurancebrokers — to help improve theirunderstanding of cyber risk and theircyber exposures and demonstratewhat value insurance can bring.The insurance market continues toaddress the issues that representorganisations’ greatest concerns(see FIGURE 12): A standardcyber insurance policy can delivercover against breach of customerinformation (31.9%) and businessinterruption (22.2%), whilecomputer crime/fraud (12.5%)can be insured against via acomprehensive crime insurancepolicy. The insurance market is alsomaking inroads to deliver meaningfulcover for reputational loss (8.4%).Of particular interest is that none ofthe respondents from the industrialsectors identified physical propertydamage as a priority risk, despite alot of recent attention being givento the threat that exists to criticalinfrastructure and the potentialfor tampering with industrialcontrol technology.FIGURE 11Please indicate your organisation’s current status with regard to cyber insurance.60%50%47.2%40%38.9%30%20%10%11.1%2.8%0%My organisation has boughtcyber insuranceMy organisation is currentlyin the process of applying forcyber insuranceMy organisation is planning on seekingquotations for cyber insurancein the next 12 monthsMy organisation has no plansto purchase cyber insurance8 Marsh

INSIGHTS June 2015FIGURE 12Which cyber loss scenario presents the greatest threat to your organisation?35%30%31.9%25%22.2%20%15%12.5%10%8.4%8.4%5%5.5%5.5%4.2%1.4%0%Breach of customerinformationLoss ofintellectualproperty (IP)Businessinterruption (BI)Reputational lossCrime/fraudData or software Liability to third Physical propertydamage parties resultingfrom a system breachdamage andbodily injuryInsufficientinformationto answerFIGURE 13Where do you view the greatest threat to your organisation originating from?35%34.7%30%25%20%22.2%23.6%16.7%15%10%5%2.8%0%An internal threatOrganised crimeHacktivist groupsTerrorist- or State-sponsoredOperational error includingloss of mobile deviceUK 2015 Cyber Risk Survey Report 9

INSIGHTS June 2015FIGURE 14Which statement best reflects your attitude to cyber insurance based on your current knowledge?50%48.6%40%30%31.9%20%12.5%10%6.9%0%The insurance available doesnot meet the needs ofmy organisationThe insurance availablemeets a limited number ofmy organisation’s needsThe insurance availablemeets all of the needs ofmy organisationInsufficient knowledgeto answerThe findings in FIGURE 14 suggestthat companies recognise that cyberinsurance is not a holistic solutionin dealing with cyber exposure andthat, in fact, it covers only certainspecific events and outcomes.Cyber exposure might attach itselfto a number of different insurancepolicies that need to maintain aneffective response when the loss orliability outcomes are created bycyber events. Nearly half (48.6%)of respondents admit to having“insufficient knowledge” in orderto assess the insurances available,which may suggest a lack of insightinto what can be insured by a cyberinsurance policy. However, in viewof the earlier findings, this figuremight also indicate that a lack ofunderstanding of their firm’s ownrisk profile places many respondentsin a position where they are unableto make an informed judgment as towhether the cover is appropriate.Cyber insuranceis not a holisticsolution in dealingwith cyberexposure andcovers onlycertain specificevents andoutcomes.10 Marsh

INSIGHTS June 2015CONCLUSIONClearly, there is still a lotof work that needs to bedone by UK organisationsin order to improve theirunderstanding andmanagement of cyber risk.Achieving a high level ofunderstanding is essentialas it serves as thefoundation stone uponwhich all other cyber risktransfer and mitigationdecisions need tobe made.The solution to this lies in theboardroom, and it is still a greatconcern that the board takesprimary responsibility for cyberrisk in less than one fifth (19.4%) oforganisations surveyed. Only withboard-level buy-in can companiestake the big strides needed toadvance their knowledge andperform the financial modellingrequired. Proper assessment andquantification of the risk will lead tobetter targeted mitigation, practicalimprovements in risk management,and the ability to judge the value ofthe risk transfer options availableon the market.One particularly interesting — andsomewhat remarkable — finding toemerge from this year’s survey isthat more than two thirds (69.4%) ofrespondents’ organisations do notassess the suppliers they trade withfor cyber risk. Supply chains areproven to be a critical vulnerabilityin corporate IT networks, yet thereappears to be too little work beingdone to ensure that the entitieswith which companies share systemlinks are following basic goodsecurity practices.This has to improve as, for all theproactive steps taken and moneyinvested to harden corporatenetworks against cyber-attacks,a security breach at a contractoror service provider, for example,could potentially allow hackersto circumnavigate all of that.The insurance industry can playand is already playing a role in thatassurance process; however, morework needs to be done in order tomove the security focus away fromthe edge of the corporate networkand to the heart of strategicdecision making.Properassessment andquantification ofthe risk will leadto better targetedmitigation,practicalimprovements inrisk management,and the ability tojudge the value ofthe risk transferoptions availableon the market.UK 2015 Cyber Risk Survey Report 11

INSIGHTS June 2015About MarshMarsh is a global leader in insurance broking and risk management. We help clients succeed bydefining, designing, and delivering innovative industry-specific solutions that help them effectivelymanage risk. Marsh’s approximately 27,000 colleagues work together to serve clients in more than130 countries. Marsh is a wholly owned subsidiary of Marsh & McLennan Companies (NYSE: MMC),a global team of professional services companies offering clients advice and solutions in the areasof risk, strategy, and people. With 57,000 employees worldwide and annual revenue exceeding$13 billion, Marsh & McLennan Companies is also the parent company of Guy Carpenter, a globalleader in providing risk and reinsurance intermediary services; Mercer, a global leader in talent,health, retirement, and investment consulting; and Oliver Wyman, a global leader in managementconsulting. Follow Marsh on Twitter @MarshGlobal.About this UK 2015 Cyber Risk Survey ReportThis report was prepared by Marsh’s Cyber Risk Practice, which is dedicated to providinginsurance and risk management solutions for the cyber exposures of clients around the world.In the UK, the practice:• Manages premium volume in excess of GBP4 million.• Has 10 cyber risk experts dedicated to serving clients across the UK.At Marsh we have a proven track record of helping our UK clients of all kinds operate in anincreasingly technologically dependent environment, particularly at a time when many businesses’critical processes are often automated and delivered to the point of use by a mixture of internaland external resources. Our UK team works closely with our clients to meet the complex riskmanagement challenges that the diversity of dependent systems and use of critical third-party ITsuppliers for delivery create. Clients with operations outside the UK can benefit from access to ourglobal team which works out of more than 20 offices worldwide to provide clients with the supportthey require when directing preventative mitigation resources and taking informed risk transferdecisions. By combining the expertise within Marsh Risk Consulting and Marsh FINPRO’s cyberplacement team we are able to deliver a seamless service for clients in this important area of risk.According to specific requirements, we can deliver:• Cyber risk financing optimisation.• Coverage gap analysis.• Cyber placement benchmarking.• Enhanced cyber insurance policy wordings.12 Marsh

INSIGHTS June 2015NotesUK 2015 Cyber Risk Survey Report 13

For more information, please contact:STEPHEN WARESEMEA Leader, Cyber Risk PracticeMarsh Ltd+44 (0)20 7357 5420stephen.wares@marsh.comMARSH IS ONE OF THE MARSH & McLENNAN COMPANIES, TOGETHER WITH GUY CARPENTER,MERCER, AND OLIVER WYMAN.The information contained herein is based on sources we believe reliable and should be understood to be general riskmanagement and insurance information only. The information is not intended to be taken as advice with respect to anyindividual situation and cannot be relied upon as such.Marsh Ltd is authorised and regulated by the Financial Conduct Authority.Copyright © 2015 Marsh Ltd All rights reserved. Graphics No. 15-0464