Cyber-Risk Awareness Remains, but Survey Finds Signs of Complacency

While organizations remain rightly concerned about cyber threats as the exposure grows and evolves, a recent report suggests that there is a certain worrisome level of complacency around cyber-risk management and resilience efforts.

The October 11, 2022, Spotlight on: Cyber and Technology Risk from Beazley found the percentage of US and UK survey respondents listing cyber as the number 1 risk slipping to 28 percent this year from 34 percent last year. Meanwhile, 41 percent of US and UK business leaders surveyed indicated their organizations were "very prepared" to meet cyber threats, though that figure is down 5 percentage points from last year, Beazley notes.

"We are detecting signs that business leaders may have become a little complacent—even over-confident—about the cyber and technology risks faced by their businesses," Patricia Kocsondy, head of US cyber and technology at Beazley, said in a statement. "Perhaps because of the overwhelming challenge that the current geopolitical environment poses today they may be being blinded to the threat that cyber and technology risk may deliver tomorrow."

The report notes that while the Russia-Ukraine war has disrupted global trade, its impact on cyber exposures remains to be seen. "The threat of a surge in state-sponsored hacking comes hard on the heels of a global move to remote working which has either validated companies' contingency planning or exposed the limitations of their IT infrastructure," the report says.

The report suggests that while cyber risk remains a major concern, a decline in the perception of cyber resilience hints at a sort of "cyber fatigue" that runs counter to business leaders' apparent confidence about their organizations' exposure and resilience levels.

"It can be easy for companies who've never experienced a cyber attack to underestimate their level of preparedness," Ms. Kocsondy said in the report. "But the fact of the matter is that cyber risk isn't going away and companies are more dependent on technology than they've ever been in the past."

Beazley also found that concerns about the threat to intangible assets from cyber criminals has also increased, as have concerns over technology obsolescence, though that latter concern was greater among US executives than their counterparts in the United Kingdom. Some businesses are facing a costly challenge of replacing end-of-life systems as they try to keep up in a world becoming ever more technology-dependent, the report says.

Beazley's survey found technology obsolescence to be the top concern among 27 percent of US and UK business leaders, highlighting technology's growing importance to economic activity, as well as the existential threat to a business of being left behind as technology moves forward.

But, the report suggests, continuing capital constraints have left some businesses appearing reluctant to commit to the cost of transforming systems and processes. That could expose them to greater cyber, disruption, and technology obsolescence risks going forward, according to Beazley.

"Resilience has also dropped, possibly as companies struggle with the cost and effort of updating or replacing legacy systems," the report says.

Midmarket businesses, in particular, might be struggling to reconcile what their insurance and technology partners are asking of them to reduce cyber and technology risks with the costs and resources required to make changes to legacy systems, the Beazley report suggests. "For many businesses, the priority in the last few years may have been to simply stay afloat and keep operating, but those legacy systems are likely to be an albatross around the neck of their future competitiveness," the report says.

End-of-life systems could pose an existential risk to some companies, Beazley says, as service providers discontinue software and hardware support, interactions with third-party systems become more difficult, and the threat of technological obsolescence emerges.

"Legacy systems that have a high degree of interconnectivity within a company's network also pose a greater risk of security breach and, from an underwriting standpoint, are viewed as inherently more vulnerable and therefore more difficult to insure," the report says.

Regarding the intangible assets concerns, the report notes that intellectual property (IP) disputes have become more frequent. There has been a surge in so-called cyber squatting, the report says, as well as growth in the number of filings by patent trolls. US businesses are particularly aware of the risk of IP theft from companies in China, the report says.

"While IP remains low on the list of technology concerns, the proportion of companies listing it as a key issue has grown dramatically, more than 107 percent, in the [United Kingdom] and [United States] since last year, while resilience has fallen, suggesting this will be a key area to watch," the report says.

The report called IP risk "an accident waiting to happen," suggesting that the low level of preparedness for IP risks "raises a red flag."

The Beazley report also emphasized the importance of businesses' cyber hygiene as a key to their cyber insurability.

"As companies confront issues such as end-of-life technology, enhanced cyber risk linked to the geopolitical situation, and the impact of inflation on business and investment, leaders will nonetheless need to focus on improving cyber hygiene," the report says. "With pricing for cyber insurance rising, insurers are becoming more selective about which cyber risks they write. Cyber insureds therefore need to regard cyber resilience and risk management as much more than a tick-box exercise, as they seek to protect intangible assets and ensure business continuity."