Cyberattacks are now considered by most execs to be the top business concern, far outranking economic uncertainty, brand damage, and regulation, according to a survey by insurance consultancy Marsh and tech giant Microsoft.
The global survey of over 1,500 business leaders illustrates the rapid change in business leaders' perceived risks to their organizations and shows that having a cyber insurance policy is now more common than two years ago.
In 2017, Marsh and Microsoft found that 62% of respondents saw cyberattacks as a top-five risk, whereas this year 79% do. The share of respondents who see cyber attacks as the number one risk has also risen from 6% to 22% over two years.
SEE: 10 tips for new cybersecurity pros (free PDF)
This year, the second most widely considered top-five risk is economic uncertainty, followed by brand damage, regulation, and loss of key personnel.
The World Economic Forum (WEF) 2019 Global Risks Report ranks data theft and cyberattacks as top-5 risks in terms of likelihood, but they are behind extreme weather events and climate change concerns.
Of course, since 2017 the world has seen the damage caused by the WannaCry ransomware outbreak, which the US government blamed on North Korea. It was shortly followed by the hugely costly NotPetya malware, which was blamed by governments in the West on Kremlin hackers.
Criminal ransomware attacks continue to strike targets too, such as the attack on Norsk Hydro earlier this year that cost it $40m. And over the past few months, multiple US local governments have weathered targeted ransomware attacks with at least one attacker demanding a ransom payment of $5.3m.
Lately, universities across the West have come under fire from state-sponsored hacking groups in search of intellectual property.
However, these days business email compromise (BEC) is shaping up to be the most costly and common threat. Insurance giant AIG recently revealed that BEC-related insurance claims are the top cyber-insurance claim in 2018, accounting for 23% of all claims in the EMEA region. This was followed by ransomware.
According to Marsh and Microsoft's survey, 47% of organizations have cyber insurance, up from 34% in 2017. Additionally, 57% of large firms with annual revenues of over $1bn report having cyber insurance compared with 36% of organizations with revenues below $100m.
Nearly all respondents, totaling 89%, are confident their cyber insurance policy would cover the cost of a cyber event.
But not all cyber-insurance claims are paid. Food giant Mondelez was one of several victims of NotPetya in 2017. Its insurance provider Zurich Insurance Group declined to pay for Mondelez's $100m damages claim because NotPetya was considered a "hostile or warlike action in time of peace or war".
The case illustrated how governments blaming other governments have given insurance companies an argument not to pay certain damages claims. Mondelez sued Zurich over the unpaid claim in January.
Drug maker Merck, also a victim of NotPetya, has filed law suits against multiple insurers that rejected its damages claims on the grounds of a war exemption, the New York Times reported in April.
Over half of the respondents in Microsoft's survey said they are "highly concerned" about nation-state cyberattacks, while 55% said governments need to do more to protect them from these attacks.
More on security threats and cyberattacks
- Norsk Hydro ransomware incident losses reach $40 million after one week
- WannaCry ransomware crisis, one year on: Are we ready for the next global cyber attack?
- NotPetya an 'act of war,' cyber insurance firm taken to task for refusing to pay out
- WannaCry ransomware was the biggest challenge of the year, says cybersecurity centre
- Your failure to apply critical cybersecurity updates is putting your company at risk from the next WannaCry or Petya
- Bigger than WannaCry: A giant cyber attack will happen unless we rethink security, says GCHQ
- Naming and shaming nations that launch cyberattacks does work, say intel chiefs
- US: Russia's NotPetya the most destructive cyberattack ever CNET
- This is how it feels to face a major cyber attack
- Can Russian hackers be stopped? Here's why it might take 20 years TechRepublic
- Two cybersecurity myths you need to forget right now, if you want to stop the hackers