According to the 2015 International Business Resilience Survey, conducted by Marsh and DRI International, firms consider cyber and IT-related risks to be the most likely to occur and have the greatest potential impact on their operations.
Marsh, in collaboration with DRI, surveyed nearly 200 C-suite executives, risk professionals and business continuity managers from large and medium-sized corporations internationally about their organizations’ attitudes toward business risks and the risk mitigation processes they have in place. The survey results indicate that organizations are better positioned to address traditional than non-traditional risks and that risk managers and CEOs have different perceptions about the severity and control measures in place for various risks facing their organizations.
Among 10 suggested risk scenarios, the top risks in terms of impact and likelihood are: reputational damage from a sensitive data breach (impact 79% – likelihood 79%); the failure in a main IT data center (59% – 77%); and online services being unavailable due to a cyber attack (58% – 77%). The risks with the lowest potential impact originate from a product recall event (15% – 21%).
According to the survey, CEOs overestimate their levels of protection for the most likely and high-impact risks: 28% stated they have dedicated insurance coverage against cyber attacks and 21% stated they have dedicated insurance protection for reputation damage after a data breach. However, only 6% of risk managers stated that they have dedicated coverage for these risks.
“Product innovations in specialty insurance such as cyber make this a good time for organizations to revisit their coverage to make sure that it is properly nuanced to meet the unique needs of their industry and the corporation’s business goals,” said David Batchelor, president of Marsh’s International Division. “Additionally, having a well thought out crisis management plan is a critical element in protecting an organization’s reputation.”
Three out of four respondents considered the failure of IT system as one of two areas that could have the greatest impact on their organization’s reputation, along with the lack of crisis management planning. Both CEOs and risk managers identified IT system failure prevention (29%) as the most important area to invest in, with CEOs also highlighting intellectual property protection (25%). However, CEOs placed far less importance on the resiliency of IT systems (60%) in relation to reputation management.
In terms of preparedness, the majority of organizations believe they are better positioned to deal with traditional than non-traditional risks: respondents rated the level of resilience of their organizations to be high for natural catastrophes and IT system failure (40% and 44% respectively), and low for political violence and an activist group attack on social media (both 32%).