Hiscox Cyber Readiness Report Finds Nearly 600 Percent Increase in Cyber Losses, Larger Losses from Ransomware

On June 22, Bermuda-based insurance provider Hiscox Ltd. announced the release of its fourth annual Cyber Readiness Report.  The basis for the report is an online survey of 5,569 public- and private-sector professionals, responsible for their organization’s cyber security strategy, from Belgium, France, Spain, the Netherlands, the Republic of Ireland, the United Kingdom, and the United States, who completed the survey between December 2019 and February 2020.

Key findings in the report included the following:

• Cyber Losses:  Total cyber losses, based on the survey responses, increased from $1.2 billion to nearly $1.8 billion. One United Kingdom financial services firm had the highest reported cyber losses ($87.9 million), and a United Kingdom professional services firm had the highest loss from any one cyber event ($15.8 million.  Overall, the most heavily targeted sectors were financial services, manufacturing and technology, media, and telecoms.  Irish firms suffered the highest median costs (more than $103,000).
• Cyberthreat Focus on Larger Firms: More than half of enterprise-scale firms with 1,000-plus employees (51 percent) reported at least one cyber incident, compared to 39 percent for the whole sample, and reported the most incidents (a median 100) and breaches (80).
• Ransomware: More than 6 percent of all respondents – one in six of those attacked – paid a ransom after a malware attack. The highest losses that any one company targeted with ransomware (which could include other cyber events) was more than $50 million.  “Whether a ransom was paid or not, the average losses for firms subjected to a ransomware attack were nearly twice those of firms confronted by malware on its own – $927,000 compared with $492,000.”
• Cyber Readiness: The number of firms that achieved “expert” status in Hiscox’s cyber readiness model – which measures firms’ alignment with best practice in four areas: strategy oversight, 0 resourcing, technology, and process — increased from 10 percent to 18 percent. U.S. and Irish firms had the highest percentage of “expert” status rankings (24 percent), while France showed the greatest improvement (18 percent, increasing from 6 percent). Overall, twice as many firms responded to a breach by adding new security and spending more on employee training.
• Cyber Security Spending: Respondents’ average spend on cyber security increased by 39 percent, from $1.47 million to $2.05 million. French firms had the highest average spend ($3.1 million), closely followed by Spanish and U.S. firms ($2.6 million and $2.4 million, respectively). The United Kingdom’s average spend increased dramatically, from just under $900,000 to $1.5 million.  In addition, firms ranked as “experts” spent an average of $4.2 million over 12 months on cyber security, while firms at the other end of the scale (“novices”) spent an average of $1.3 million.
• Greater Cyber Responses: Approximately twice as many firms responded to a cyber event by taking extra measures to combat the hackers. For example, 25 percent (compared with 11 percent in 2019) increased spending on employee training after an attack.  Nearly three-quarters of respondents (72 percent) plan to increase their cyber security budgets by 5 percent or more in the coming year (an increase from 67 percent in 2019).
• Cyber Insurance Coverage: The proportion of respondents who said that they have purchased cyber insurance as a result of a previous cyber event has risen steadily over the past three Hiscox reports, from 9 percent to 20 percent. Slightly more than one-quarter of firms (26 percent) reported that they had a standalone cyber policy, and 18 percent reported that they planned either to purchase standalone coverage or add it as coverage to their policies.  Nearly half (45 percent) of firms ranked as “experts” said that they had a standalone cyber policy.

Note: Hiscox concluded overall that the sharp increase in the frequency and severity of cyber events “is a trend that should concern everyone involved in cyber security.”  Information-security teams should use this report to benchmark their companies’ own states of cyber readiness and incorporate its findings into reporting to senior executives.