UK Cyber Risk Survey Report reveals weaknesses in business’ dealing with suppliers

June 28, 2015 |

As the Board of Target USA will attest, or those that remain, making sure suppliers have adequate cyber security controls are critical in maintaining a proper data security system.  Target’s massive data breach was instigated from a third party site which had poor data security. Businesses work their suppliers on line as much as in person.  And that interconnection is growing not subsiding.  According to a recent survey by an insurance broker Marsh, titled UK 2015 Cyber Risk Survey Report less than one in three companies surveyed review their suppliers cyber protection, or more accurately their exposure to a data breach.  This raises compliance issues for companies under the Privacy Act 1988.  There is every reason be believe the results of this survey would be replicated in Australia.  Given the more anaemic enforcement of the legislation here the degree of preparedness might even be worse than that of the UK.

Other finds are:

  • 11.1% of UK companies have cyber insurance although another 38.9% of businesses intend to obtain quotes for such products within the next year.
  • 47.2% of businesses had “no plans” to take out cyber insurance.
  • 48.6% of businesses believe they are not well enough informed to “assess the insurances available”.
  • 61.1% of organisations have not yet made any attempt to estimate/calculate loss estimates of breaches
  • nearly half of businesses did not have a full “incident response plan for material cyber events”, 22.2% do not have one at all while 26.4% have only a partial plan.
  • 19.4% had board-level ownership of cyber risk exists,
  • 40.3% of businesses experienced a cyber-attack in the past 12 months which is a rise year on year.

The results are sobering in terms of business governance.  ASIC had made it clear that proper data security is an issue of governance (see my post from 6 April 2015 here).  The Privacy Commissioner should regard it as important.  Or at least it is an intrinsic part of the Australian Privacy Principles.

It is little wonder the conclusion of the Marsh report is slightly pessimistic as to the adequacy of both protection and (no doubt from Marsh’s perspective) insurance coverage when it states:

Clearly, there is still a lot of work that needs to be done by UK organisations in order to improve their understanding and management of cyber risk. Achieving a high level of understanding is essential as it serves as the foundation stone upon which all other cyber risk transfer and mitigation decisions need to be made.
The solution to this lies in the boardroom, and it is still a great concern that the board takes primary responsibility for cyber risk in less than one fifth (19.4%) of organisations surveyed. Only with board-level buy-in can companies take the big strides needed to advance their knowledge and perform the financial modelling required. Proper assessment and quantification of the risk will lead to better targeted mitigation, practical improvements in risk management, and the ability to judge the value of the risk transfer options available on the market.
One particularly interesting — and somewhat remarkable — finding to emerge from this year’s survey is that more than two thirds (69.4%) of respondents’ organisations do not assess the suppliers they trade with for cyber risk. Supply chains are proven to be a critical vulnerability in corporate IT networks, yet there appears to be too little work being done to ensure that the entities with which companies share system links are following basic good security practices.
This has to improve as, for all the proactive steps taken and money invested to harden corporate networks against cyber-attacks, a security breach at a contractor or service provider, for example,
could potentially allow hackers to circumnavigate all of that. The insurance industry can play and is already playing a role in that assurance process; however, more work needs to be done in order to move the security focus away from the edge of the corporate network and to the heart of strategic decision making.

One Response to “UK Cyber Risk Survey Report reveals weaknesses in business’ dealing with suppliers”

  1. UK Cyber Risk Survey Report reveals weaknesses in business’ dealing with suppliers | Australian Law Blogs June 28th, 2015

    […] UK Cyber Risk Survey Report reveals weaknesses in business’ dealing with suppliers […]

Leave a Reply