Awareness of cyber risk is growing but board-level ownership of the risk continues to lag


Despite growing levels of awareness and understanding of cyber risk among large and medium-sized corporations, board-level ownership of the issue remains comparatively low with many firms relying on their IT departments for the strategic direction of their cyber risk strategies.

According to the Marsh Risk Management Research, UK & Ireland 2014 Cyber Risk Survey Report, launched at the Airmic conference today, cyber risk now features prominently on the corporate risk registers of organisations across the UK and Ireland, with one-quarter (24%) of respondents placing it in the top five risks they face and over half (56%) placing it in their top ten.

However, Marsh’s research found that cyber risk is managed and reviewed at board level in just 20% of respondents’ organisations with 57% of respondents stating that the overall responsibility for the assessment and management of cyber risk lies with their IT departments. While the majority of firms have or are seeking to buy cyber insurance in the next 12 months, only 14% currently have policies in place.

Stephen Wares, cyber risk practice leader, Europe, the Middle East and Africa (EMEA), Marsh, commented: “For those organisations that cited the board as the primary risk owner, there is recognition within these businesses of the potentially catastrophic impact that cyber risk may have on their revenues and reputations.

 “Increased board-level ownership will accelerate efforts to understand how cyber risk affects organisational risk profiles, and will foster the adoption of more sophisticated risk mitigation measures. It will also improve the ability of companies to secure correctly targeted insurance protection at attractive premiums, should they decide to transfer some of the risk to the insurance market.”

Although only 32% of respondents stated that their organisation has assessed the estimated financial impact of a cyber attack, more than half of those surveyed plan to buy or seek quotations for cyber insurance within the next 12 months.