Deloitte recently published its Irish Information Security and Cybercrime Survey 2013. The survey results will be of particular interest to insurers providing cyber insurance products and cyber extensions. Strong growth in the field of cyber insurance is predicted for the coming years and cyber cover has increasingly become an add-on for professional indemnity and financial institutions policies. The survey, now in its second year, contains a number of interesting findings relating to public and private sector experiences of cybercrime in the past year. The survey respondents included multinationals, Irish corporates and public bodies. Of the entities surveyed, 21% were sourced from financial services with a further 7% coming from the insurance sector.
The survey showed that a large number of entities have already been victims of cybercrime and have suffered significant financial losses as a result:
- 40% of respondents had experienced a cyber breach of some kind
- Of the organisations that experienced serious incidents, 31% reported losses exceeding €100,000 with 14% suffering losses in excess of €250,000 per incident
- The average cost of a large cybercrime incident was estimated at €135,000
- €29,954 is the average clean-up and remediation cost to organisations following an incident
- Cybercrime has cost Irish entities an average of 2.7% of their annual turnover – this figure increases to 10% of annual turnover for the 15% most severely affected organisations.
Insurers will be particularly concerned to note that, despite expressing serious concern at the risk posed by cybercrime, many organisations say their internal processes for dealing with cybercrime are inadequate:
- 49% of respondents rate overall readiness to deal with cybercrime incidents as fair or poor
- 33% believe measures to detect incidents or cybercrime are either inappropriate or inadequate
- 63% of respondents believe their organisation is only partially equipped, or do not consider their organisation to have adequate measures to deal with cybercrime
- 57% of respondents stated that no further actions were taken following an investigation of internal or external incidents
- 76% are of the view that existing policies only partially address or fail to address recent business and technology changes such as cloud computing or employee purchased mobile devices.
The survey also revealed that private and public sector bodies are not fully aware of the possibility of obtaining insurance cover in respect of cybercrime incidents. 67% of respondents had not considered cyber insurance or risk transfer as a mechanism to protect against cyber-attacks, business interruptions or data theft or loss and only 14% of respondents actually have cyber cover.
Cybercrime represents an ever increasing threat both to international business and government bodies. The survey suggests that Irish entities are only now beginning to appreciate the extent of this risk. Cyber cover is likely to play an important role in the future as both the public and private sector seek to minimise exposure to a constantly evolving threat.