A research report launched by AIG in the UK highlights a significant gap in the understanding of, and response to, cyber threats by senior board directors in Britain’s largest companies.
Just over half (52%) of respondents discuss their company’s cyber security policy “less often than not or never” at board meetings, while nearly one quarter (24%) are not confident that they are up-to-date on the nature of cyber threats.
Mark Camillo, Head of Cyber and Professional Indemnity, EMEA at AIG said, “The cost of cyber attacks nearly doubled last year according to the UK Government; 81% of large UK businesses and 60% of small companies suffered a security breach. In this context boards needs to take cyber risk a great deal more seriously than they appear to now. For example, companies are split as to whether the maintenance of cyber security levels is designated at board level. In just over half of those surveyed, there is strong board representation on this issue. Certainly, having key roles in place like a Chief Information Security Officer, who reports to the CEO, is best practice.
“However over a third (36%) of companies mention their IT department as being designated for the maintenance of cyber security, and with a further 11% of ‘other’ responses. What we have learned from the large breaches is that cyber security is not just a technology issue. It takes an enterprise-wide effort to prevent attacks and to mitigate damage when they happen. While the day to day responsibility may be in the technical or security teams, strategy and response needs to have ownership across functions, hence board engagement.
“So, how confident is the board on emerging cyber threats? While there is undoubtedly confidence among many companies, with three quarters (76%) feeling confident that the board is up to date on the nature of cyber threats, a substantial minority of nearly a quarter (24%) are not very or at all confident about this in this area of rapid change.
“Beyond awareness, the research also raises questions around the issues of prevention of and response to cyber threats. Although 90% of poll respondents were confident that their company had identified its level of vulnerability across all key information assets and 84% believe their IT department is able to protect the company from a cyber attack, herein lies a problem. No matter how many firewalls a company has, or how good its IT systems are, no set of controls can guarantee that a data breach won’t happen – a more comprehensive risk management strategy is needed.”
Latest from Cyber Policy Magazine
- Aon and Guidewire Launch Cyber Scenario for a U.S. Dam Attack
- Generali Launches Its Fully-Dedicated Cyber Insurance Function And The CyberSecurTech Start-Up
- Silent Cyber Added To Willis Re’s Cyber Portfolio Management Tool PRISM-ReTM
- Companies Will Make Major Enterprise Wide Changes To Address Cyber Risk In 2018
- DAS Spain Launches DAS Cyberbullying Insurance