Microsoft: Cyberattacks now the top risk, say businesses

Business leaders have grown more nervous about cyberattacks over the past two years.
Written by Liam Tung, Contributing Writer

Cyberattacks are now considered by most execs to be the top business concern, far outranking economic uncertainty, brand damage, and regulation, according to a survey by insurance consultancy Marsh and tech giant Microsoft. 

The global survey of over 1,500 business leaders illustrates the rapid change in business leaders' perceived risks to their organizations and shows that having a cyber insurance policy is now more common than two years ago. 

In 2017, Marsh and Microsoft found that 62% of respondents saw cyberattacks as a top-five risk, whereas this year 79% do. The share of respondents who see cyber attacks as the number one risk has also risen from 6% to 22% over two years. 

SEE: 10 tips for new cybersecurity pros (free PDF)

This year, the second most widely considered top-five risk is economic uncertainty, followed by brand damage, regulation, and loss of key personnel. 

The World Economic Forum (WEF) 2019 Global Risks Report ranks data theft and cyberattacks as top-5 risks in terms of likelihood, but they are behind extreme weather events and climate change concerns.   

Of course, since 2017 the world has seen the damage caused by the WannaCry ransomware outbreak, which the US government blamed on North Korea. It was shortly followed by the hugely costly NotPetya malware, which was blamed by governments in the West on Kremlin hackers. 

Criminal ransomware attacks continue to strike targets too, such as the attack on Norsk Hydro earlier this year that cost it $40m. And over the past few months, multiple US local governments have weathered targeted ransomware attacks with at least one attacker demanding a ransom payment of $5.3m

Lately, universities across the West have come under fire from state-sponsored hacking groups in search of intellectual property.   

However, these days business email compromise (BEC) is shaping up to be the most costly and common threat. Insurance giant AIG recently revealed that BEC-related insurance claims are the top cyber-insurance claim in 2018, accounting for 23% of all claims in the EMEA region. This was followed by ransomware.  

According to Marsh and Microsoft's survey, 47% of organizations have cyber insurance, up from 34% in 2017. Additionally, 57% of large firms with annual revenues of over $1bn report having cyber insurance compared with 36% of organizations with revenues below $100m. 

Nearly all respondents, totaling 89%, are confident their cyber insurance policy would cover the cost of a cyber event. 

But not all cyber-insurance claims are paid. Food giant Mondelez was one of several victims of NotPetya in 2017. Its insurance provider Zurich Insurance Group declined to pay for Mondelez's $100m damages claim because NotPetya was considered a "hostile or warlike action in time of peace or war". 

SEE: Ransomware: Cyber insurance payouts are adding to the problem, warn security experts

The case illustrated how governments blaming other governments have given insurance companies an argument not to pay certain damages claims. Mondelez sued Zurich over the unpaid claim in January.  

Drug maker Merck, also a victim of NotPetya, has filed law suits against multiple insurers that rejected its damages claims on the grounds of a war exemption, the New York Times reported in April

Over half of the respondents in Microsoft's survey said they are "highly concerned" about nation-state cyberattacks, while 55% said governments need to do more to protect them from these attacks.


n 2017, Marsh and Microsoft found that 62% of respondents saw cyberattacks as a top-five risk, whereas this year 79% do.  

Image: Marsh/Microsoft

More on security threats and cyberattacks

Editorial standards