Most UK companies not assessing suppliers for cyber risk, Marsh study finds

26/06/2015 07:05

Less than a third of UK businesses review their suppliers' exposure to cyber risk, according to a new study by insurance broker Marsh.

In its UK cyber risk survey report for 2015, Marsh said that 69.4% of businesses it had surveyed said they "do not assess the suppliers and/or customers they trade with for cyber risk". It said large companies need to check that their links with suppliers do not pose them a cyber security threat.

"While organisations can control their own networks, they have much less control over those of the suppliers/third parties that they might be linked to," Marsh's report said. "Without the appropriate checks, this leaves them exposed and lacking control over standards of IT security in systems where hackers might find a 'back door' into their organisation."

"There therefore needs to be an improvement in supply-chain resilience to cyber-attack if organisations are going to reduce the threat arising from this key vulnerability. This is especially true for large organisations with a profile that attracts highly motivated and sophisticated hackers who might identify smaller business partners that are typically less well protected," it said.

The UK government has launched a new free online training course for staff involved in procurements to help boost cyber security awareness and skills.

"Procurement professionals deal with a wide range of sensitive commercial and financial information which is central to the successful operation of many businesses," the government said. "The course will increase awareness of common cyber risks and threats procurement professionals may experience in the workplace and how to prevent and deal with them. It provides advice on how to safeguard digital information, raise awareness of cyber issues with suppliers and gives examples of how to deal with issues such as information breaches in the workplace."

According to the Marsh study, 11.1% of UK companies have bought cyber insurance and a further 38.9% of businesses intend to obtain quotes for such products within the next year. Nearly half of organisations (47.2%) said, though, that they have "no plans" to take out cyber insurance.

The study found that many organisations (48.6%) do not believe they are well enough informed to "assess the insurances available". Marsh said that this "may suggest a lack of insight into what can be insured by a cyber insurance policy" or alternatively indicate that companies have a "lack of understanding of their … own risk profile" to the extent that they are "unable to make an informed judgment as to whether the cover is appropriate".

Nearly half of the UK organisations surveyed also admitted that they do not have a full "incident response plan for material cyber events", with 22.2% conceding they do not have one at all and 26.4% stating that they only have a partial plan in place.

Marsh said it was concerned at other findings from its study that showed that there is a lack of ownership of cyber risk issues in many UK board rooms.

"Board-level ownership of cyber risk exists in 19.4% of UK organisations," the report said. "While this figure is broadly in line with last year’s findings (20%), it remains very low. Meanwhile, IT departments continue to take primary responsibility for cyber risk in the majority (55.5%) of organisations. Cyber risk is increasingly recognised as a business risk rather than simply a technical control, and, within this context, it is disappointing to note that there is no material upwards movement in risk management and board functions seizing responsibility from IT."

"IT departments might know how to implement cybersecurity; however, the inability of IT to drive value for the organisation or the potential for significant damage to be caused as a result of a security breach, most certainly is a business risk – the consequences of which will be felt at the highest levels of the organisation should it occur. Boards therefore need to take ownership of cyber risk before a cyber event forces it on to the board agenda, and communicate the identified security priorities to IT departments so that they can align their activity and resources against the business’s risk management agenda," it said.