Four fifths (79%) of European companies have at best only a basic understanding of their exposures to cyber risk, Marsh has reported.
The insurance broker said 68% of medium and large European organisations have not yet started to calculate the financial impact of a cyber-attack, in its European 2015 Cyber Risk Survey Report.
“Despite European organisations placing a greater focus on cyber risks in the past 12 months, clearly there is still a considerable amount of investigation required by many in order to improve their understanding and management of cyber risk,” said the report’s conclusion.
Marsh said that 43% of respondents have not yet identified one or more cyber scenarios that could affect their organisations.
Only a quarter (25%) of organisations possess an incident response plan for material cyber events, noted the report.
“Part of the solution to this lies in moving responsibility for cyber away from IT departments and into the boardroom. Only with board-level buy-in can companies identify business-critical areas and undertake scenario testing and financial impact analysis to build up their cyber risk profile, enabling them to mitigate and/or transfer the risk accordingly,” said the report.
The broker noted that when organisations have carried out the assessment and quantification of the risk, they are able to choose relevant insurance products focused on their biggest concerns, listing these as breach of customer information, business interruption, and crime/fraud.
“One particular finding of this report that deserves special attention is the high level of organisations (77%) that do not assess suppliers they trade with for cyber risk,” said the report.
“For all the proactive steps taken and money invested to prevent cyber-attacks occurring within their own organisations, a security breach at a contractor or supplier, for example, could potentially undo all of that,” added Marsh.