There are major shortfalls in the cybersecurity readiness of a large majority of firms—a reality revealed in a new international Hiscox study that reveals both a marketing opportunity and cause for concern among carriers seeking to cover cyber risk.

Approximately 73 percent of firms are dealing with cybersecurity shortfalls, the Hiscox Cyber Readiness Report 2018 determined. Just 11 percent of respondents qualified as experts.

Dan Burke, vice president and cyber product head for Hiscox in the U.S., said companies must invest both money and resources into managing and reducing cyber attacks.

“There needs to be a dedicated investment, and not just a financial one, in order to prevent, detect and mitigate cyber attacks,” Burke said in prepared remarks. “Beyond the allocation of funds, an organization must focus on its people, its thinking and its processes in order to become a cyber expert.

Hiscox surveyed more than 4,100 companies in the U.S., UK, Germany, Spain and the Netherlands, with a goal of determining how ready businesses are to manage cyber threats. Respondents included department managers, IT specialists and other key professionals. They were evaluated on factors including strategy, engagement, organizational leadership, training and evaluation, a willingness to respond, investment, and insurance coverage.

Hiscox, a specialist insurer, noted in its report that firms are aware of how bad cyber attacks could be, even if they’re not adequately prepared for them.

“While many firms lack adequate defenses, most are keenly aware of the potential of a cyber attack,” the Hiscox report said. Underscoring that awareness, 66 percent of respondents ranked a cyber threat on par with fraud as top risks to their businesses.

Other findings in the report:

  • Larger companies are more prepared than smaller ones for cyber threats. Broken down, 21 percent of companies with 250 employees or more ranked as cyber experts, and another 17 percent qualified as intermediates. Just 7 percent of smaller firms—those with fewer than 250 people—qualified as experts on cyber risks.
  • Smaller firms don’t have enough resources to combat cyber threats. They devoted about 9.8 percent of their IT budgets to cyber risk versus 12.2 percent for larger companies.
  • U.S. and UK firms scored higher than others, with 13 percent of both qualifying as experts versus the 11 percent overall score. Just 7 percent of Dutch firms ranked as experts.

Here are some U.S.-specific findings, based on 1,000 domestic companies surveyed:

  • Almost 60 percent of survey respondents said their overall cybersecurity spending should grow by 5 percent or more. The average IT budget of respondents was $11.65 million, with 10.6 percent devoted to cybersecurity.
  • About 54 percent said that employee training helped reduce cyber hacks and incidents. Another 43 percent of U.S. companies said they were pursuing cybersecurity exercises like phishing experiments so they can better understand how employees behave and train them for an attack.
  • Only 58 percent of U.S. companies with 250 or more employees have cyber insurance, while just 21 percent of U.S. companies with fewer than 250 employees are covered.
  • Approximately 52 percent of U.S. small businesses assert they won’t get cyber insurance, while 9 percent of their larger counterparts are doing the same.

Source: Hiscox