Businesses expect an increased likelihood of direct impact from crises such as terrorism or cyber extortion

Global crisis

A quarter of large UK companies are concerned or unsure about their resilience level, according to a new report by Arthur J. Gallagher.

Carried out by YouGov, the survey was completed just prior to the WannaCry attack and the Manchester and London terrorism incidents.

The survey found that 40% of companies have experienced a security threat in the past two years and more than half expect to face some form of extortion (60%) or specifically cyber extortion (51%) in the next 12 to 18 months.

Meanwhile 8% of large UK company respondents had faced a terrorism incident in the past 24 months, with this number rising to 22% when asked whether they felt their company to be at risk of terrorism in the next 12 to 18 months.

However, despite the majority of firms surveyed by YouGov having invested in tools such as security, insurance and business continuity, disaster recovery or crisis management planning to mitigate and manage the impact of these fast-evolving security threats, 24% are concerned or unsure about their resilience levels.

Most large companies have at least some tools in place to manage the impact of security threats, and 76% feel they are somewhat or very resilient.

Only half of the companies Gallagher surveyed had tested their crisis-response systems in the past six months and two in five have not modelled their exposures to ensure they are truly prepared.

“Building a culture of crisis resilience takes time and effort but the rewards are high,” said Paul Bassett, managing director of Gallagher’s crisis management practice. “Our research has found the majority of large UK companies – but far from all of them – have invested in the tools necessary to build resilience in the face of rising and amorphous threats such as terrorism, cyberattacks and extortion. But these tools provide a false sense of security if they are not joined up in a comprehensive and cohesive approach that brings together all the key functions needed to play a role in preventing or responding to fast-evolving security threats.

“Only by proactively engaging and coordinating the efforts of risk, HR, security, finance, IT, communications, legal and real estate can a company maximise its ability to successfully anticipate, prevent, respond and recover from today’s heightened risk of threats.”

Justin Priestley, executive director of crisis management at Gallagher, added: “Crisis management plans must be short, principle-based and genuinely stress-tested to enable rapid decision-making and communication at times when there will be a vacuum of information, panic and pressure from stakeholders on all sides.

“But getting crisis resilience right means the total cost of managing risk will be lower too, since insurance becomes a backstop rather than playing a central role. Comprehensive solutions will bolster confidence among internal and external stakeholders that a company will survive and prosper, regardless of the deepening threat environment.”