Cyber risks are an ever present and ever increasing risk. Every organisation is at risk. The headlines are constant in their reports of data breaches against corporations.

A shorter version of this article was written for and published by Insurance Day on 21 October 2015.

Whilst hackers are getting increasingly smart companies are collecting an ever-increasing amount of data about their customers that is ripe for stealing and exploiting. Online retailers, for instance, collect vast amounts of information from their customers to facilitate easy payment. Losing this data could be disastrous for the customers, but also the company’s brand as its reputation for cyber security could be ruined.

PwC has recently published its 2015 Information Security Breaches Survey commissioned by HM Government. The survey involved 664 respondents from all industry sectors in the UK. There are a number of key findings about the severity and impact of cyber security threats against corporations. In short, the cyber attackers are winning.

Key findings of the PwC 2015 Survey

Security breach levels are ever increasing

90% of large organisations (more than 250 employees) and 74% of small organisations (less than 50 employees) had a security breach in the last year. In 2014 these figures were 81% for large organisations and 60% for small organisations. It is notable that the majority of those surveyed considered that breaches would continue to increase in the next year.

The cause of the breach is not limited to one type of breach as virus infection/malware, theft and unauthorised access, which are all different types of information breach increased for all sizes of organisation from 2014 to 2015.

It is considered that one of the reasons for the higher number of breaches in 2015 is that there is an increased cyber awareness across all sizes of organisations allied to better detection of malicious software and infiltration.

Costs of breaches are soaring

A most relevant finding of the 2015 Survey is the sharp increase in the cost of dealing with a security breach. For large organisations the starting point for breach costs now starts at £1.46 million up from £600,000 in 2014. For small organisations the range starts at £75,200 to £310,800. Such costs include business disruption, time spent responding to an incident, loss of business, regulatory fines and compensation payments and loss of assets (including theft of intellectual property). The upward trend in the year on year costs of dealing with a security breach is clearly illustrated in this table that appears in the PwC 2015 survey; and which also illustrates how those costs are broken down.

Click here to view table.

It is notable from the table breakdown that by far the largest part of the cost of dealing with a security breach is business disruption, followed by lost assets and lost intellectual property and then lost business.

The reputational impact of a security breach

Another most interesting finding is the reputational impact of a security breach. The 2015 Survey notes that “for those organisations that suffered a breach in the past year 41% felt that the greatest impact suffered was to their reputation-nearly twice as high as the next largest impact, which was to the actual business operations (23%).” A majority of the respondents identified reputational damage as the factor responsible for the classification of a particular breach as their worst incident. Large organisations in the survey also reported “extensive adverse” or “some adverse” media coverage arising from their most serious breaches. It is perhaps unsurprising then that survey found that one of the top drivers for information security expenditure is protecting the organisation’s reputation. Indeed, whilst complying with laws and regulations and maintaining business continuity remain an important consideration for information security expenditure it “seems that the public’s reaction to poor management of customer data is now the main concern of budget holders and is driving spending accordingly.”

Are companies insuring their cyber security exposure?

With the increase in the percentage of organisations that have suffered a security breach and the soaring costs of a security breach one would expect a corresponding increase in the number of organisations who are purchasing bespoke cyber insurance cover. However, that is not what the 2015 Survey found. Only one third of the respondents considered that they have insurance that would respond in the event of an information security breach, and the majority of those respondents considered that their existing insurance policies would cover their costs of a security breach. Of those organisations that did not have insurance a small percentage were intending to purchase cyber cover whilst the majority did not consider it was a priority or did not know that such cover existed.

Can we expect a change in the cyber insurance landscape in the 2016 survey?

It seems that almost every year someone says that this is the year that cyber risks insurance will take off. Whilst 2015 is fast nearing its end, the impending revision of EU Data Protection Regulation has on 9 October 2015 reached an important stage. The EU Council has reached a common position on the draft Data Protective Directive for the law enforcement area. This is an important step as the parties working on the EU Draft Data Protection Regulation had agreed that the two instruments needed to be adopted as a package. The agreement of 9 October 2015 now enables the Luxembourg Presidency to start discussions with the European Parliament on this part of the data protection package, with the intention that negotiations on the two instruments will be completed by the end of the year. This is likely to kick-start a real demand for cyber insurance in UK because the revision of the EU Data Protection Regulation is expected to include mandatory notification of breaches of personal data. Indeed, similar mandatory breach notification laws introduced in the US during the past decade are widely credited as the catalyst for having changed the cyber liability insurance landscape. It seems, therefore, that we can expect a change in the uptake of cyber insurance in 2016, especially if the cyber attackers keep on their winning streak.

A shorter version of this article was written for and published by Insurance Day on 21 October 2015.