A new report from PwC says that 27% of companies have suffered a data breach leading to costs between $1m and $20m in the last three years.
The survey, which the financial giant says was conducted amongst 3,500 senior executives in sixty-five countries, found that 34% of North American firms reported such breaches, with only 14% saying that there had been no such incidents in that period.
Despite cyber-attacks continuing to cost businesses millions of dollars, fewer than 40% of executives surveyed say they have fully mitigated cybersecurity risk exposure in a number of critical areas. This includes, enabling remote and hybrid work (38% say the cyber risk is fully mitigated); accelerated cloud adoption (35%); increased use of internet of things (34); increased digitisation of supply chain (32%); and back-office operations (31%).
Matt Britten, insurance partner at PwC Bermuda, said: “The continued increased prevalence and severity of cyber attacks has fuelled a growing demand for cyber coverage, which appears to be far outstripping supply, offering a huge commercial opportunity for specialty insurers and reinsurers. The rapid evolution of cyber risk does present extreme challenges to underwriting and pricing, but reinsurers risk losing relevance if the demand for cyber cover isn’t met.”
He added: “During 2021 and this year, there has been an acceleration among Bermuda-based reinsurers towards speciality reinsurance with several carriers and brokers establishing dedicated cyber teams and units. This trend is expected to continue as they work to deploy more capacity to the market.”
PwC also found that most firms were increasing their cyber budgets. It said that the majority of executives surveyed said their organisations are continuing to increase their cyber budgets – 69% said the budget increased in 2022 and 65% plan to spend more on cyber in 2023. Increasing budgets reflect the fact that cybersecurity tops the agenda for resilience planning.
Concern with cyber extends to the top of organisations. Most CEOs surveyed are planning to ramp up action to address cybersecurity in the coming year – 52% said they will drive major initiatives to improve their organisation’s cyber posture. Many CFOs surveyed are also planning to increase their cyber focus, including cyber technology solutions (39%), focus on strategy and coordination with engineering/operations (37%) and upskilling and hiring of cyber talent (36%)
PwC also said that the range of harm organisations have experienced due to a cyber breach or data privacy incident over the past 3 years include loss of customers (cited by 27%), loss of customer data (25%), and reputational or brand damage (23%)
Bruce Scott, cyber leader for PwC in the Caribbean, said, “According to PwC’s survey – a catastrophic cyber-attack is the top scenario in 2023 resilience plans. It ranks higher than global recession, a new health crisis or inflationary environment. As cyber threats continue to increase in frequency and sophistication, a holistic approach to cybersecurity has become a top priority for the C-suite and boards.”
The study also found that four in five organisations (79%) surveyed state that a comparable and consistent format for mandatory disclosure of cyber incidents is necessary to gain stakeholder confidence and trust. Three-quarters (76%) agree that increased reporting to investors will be a net benefit to the organisation and entire ecosystem. Further, the same percentage agree that governments should be expected to use the knowledge base from mandatory cyber-attack disclosures to develop cyber defence techniques for the private sector.
While there is a clear preference for mandatory disclosure of cyber incidents, fewer than half (42%) of executives surveyed are fully confident their organisation can provide required information about a material/significant incident within the specified reporting period. There is also a hesitance to share too much information – 70% said greater public information sharing and transparency poses a risk and could lead to a loss of competitive advantage.