Most businesses are worried about the possibility of a cyber-attack, yet few have a financial plan in place to manage the aftermath.
It’s hardly surprising that 80% of UK business leaders are concerned or very concerned about the financial implications of a cyber-attack on their business. What is surprising is that almost 70% have failed so far to put in place a financial plan to deal with the outcome if the worst happens.
According to a survey carried out by Lloyds Bank at its recent ‘Cyber Beyond IT’ event, the growing digitisation of businesses, their supply chains, and the emergence of the Internet of Things is accelerating companies’ risk of disruption from a cyber-attack. However, the financial implications of a successful attack are not being addressed.
The poll of executives, from businesses ranging from SMEs to global corporates, revealed that only 32% have a financial resilience plan in place. With 34% of companies prepared to pay a ransom to get their systems and data back post-attack – and 13% of these saying they would pay a ransom of £1m or more – the indication is that businesses are entertaining a risk that almost certainly would not be tolerated elsewhere in their operations.
The event, which sought to press home the understanding that cyber is an enterprise-wide issue, not just an IT problem, found that although 65% of companies thought it would take them six months or more to recover from a disruptive cyber-attack, 43% had no financial cash reserve in place to ride out an attack, and just 24% had dedicated cyber insurance. What’s more, despite concern about threat, only 53% of companies regularly discuss cyber risk at their board meetings.
Research published last year by Cybersecurity Ventures estimated that the global cost of ransomware would be US$5bn in 2017, up from US$325m in 2015. A recent Treasury Today investigation showed that while the costs can include ransom payments, ransomware attacks can also bring a variety of other costs as a result of enforced downtime, loss of data, productivity losses and additional employee training. Accenture’s 2017 Cost of Cyber Crime Study noted that the average time taken to resolve a ransomware attack is 23 days.
“A common problem faced by businesses is failing to understand the full financial impact of a cyber-attack,” commented Giles Taylor, Head of Data and Cyber Security, Lloyds Bank Commercial Banking. “Businesses recognise that there will be disruption but if recovery is going to take months or years rather than weeks, then without a plan the financial implications can be disastrous.”
A cyber crisis can quickly turn into a liquidity crisis and the sudden drain on cash reserves could affect a firm’s ability to pay staff or suppliers and stay afloat, added Taylor. “Strong governance, operational and financial planning should be at the heart of any cyber-response activity so that they are better equipped to minimise any potential harm.”
In practice there are many reasons why companies may not act to protect themselves from cyber-risk. Strong contenders are competing priorities for limited budget, and the mistaken belief that “it can’t happen here”.
The reality is that “the cost of handling the crisis probably far outweighs the cost of avoiding it”, Shirley Inscoe, Senior Analyst at Aite Group, told Treasury Today. “Quantifying the implications of a potential attack is extremely important to justify technology investments to protect companies.”
It can also help with risk transfer decisions when companies are considering taking out cyber insurance, which is after all a relatively recent development. Without deep pools of data and very accurate predictive modelling to rely on to help insurers understand the chances and magnitude of a loss, premiums may not be ‘optimised’. At the very least all companies should now be taking steps to quantify the cyber risks they face.