Annual losses from cyberattacks averaged US$4.7 million in the last fiscal year — with more than one in 10 firms losing over US$10 million —according to a new report from The Cybersecurity Imperative, a global thought leadership program produced by independent researcher ESI ThoughtLab in conjunction with Willis Towers Watson and other organizations specialized in cybersecurity and risk management.
The study covered 467 firms across multiple industries in 17 countries revealing that companies worldwide expect to boost their cybersecurity investments by 34% in the next fiscal year, after raising them by 17% the previous year. About 12% of companies surveyed plan to bolster their cybersecurity investments by over 50%. Additionally, since last year, the percentage of companies seeing a significant impact from cybercriminal activities — such as installation of ransomware — has soared, from 57% to 71%.
Peter Foster, chairman, Willis Towers Watson Global FINEX Cyber and Cyber Risk Solutions, says, “It is clear from the findings that companies are experiencing escalating impacts this year from key adversaries, including cybercriminals, malicious insiders and state-sponsored hackers, often from jurisdictions beyond the reach of local law. Establishing a continuous assessment through an integrated risk approach to cyber is critical for mitigating this ever-growing risk.”
The study also highlighted that most companies across industries and regions are witnessing a greater volume of cyberattacks and higher losses per incident. For instance, companies in China, Japan and India are seeing an estimated average loss of close to 10% of their revenue.
“Other than the direct costs such as financial expenses and fines arising as a result of cyber breaches, indirect costs such as opportunity costs, reputational damage and loss of customers can be equally or even more costly to companies. While the immediate losses from an incident may not be catastrophic, it may take more than five years for a company to feel the full financial consequences, particularly if a company has lost their competitive advantage as a market leader. It is therefore important for companies to take an integrated approach in assessing and managing their reputational risks,” adds Jessica Wright, cyber leader Asia, Corporate Risk & Broking at Willis Towers Watson.
The research shows that to combat evolving risks, companies need to take a proactive, multi-layered defense. Firms are responding by allocating the biggest share of their budgets to technology, while seeking the right balance between investments in people and process. They are also focusing more on risk identification to address emerging vulnerabilities and are investing more in resilience to ensure they can respond quickly to successful attacks.
Other calls to action from the study include:
• Make sure you are investing enough in cybersecurity. Some industries, such as media and consumer markets, are allocating less and may be more exposed to cyber-risks.
• Think of cybersecurity like any other existential threat to your business. The risks are not just about privacy, liability and stealing data; huge operational risks can also occur if business is interrupted, with reputational impacts that can hurt market positions.
• Pay attention to risks from partners and your supply chain. As firms draw on ecosystems of third parties to drive digital transformation, they increase their vulnerabilities to cyber risks.
• Be aware that legal and regulatory risks are also rising substantially. Companies that do not comply with new standards face hefty penalties and legal consequences.
• Measure your full losses, costs and returns. When hit by a successful cyberattack, you need to understand all your costs — direct and indirect, tangible and intangible.
The survey was carried out in the spring of 2019 as part of a global research initiative titled The Cybersecurity Imperative. The current survey is a follow-up to a more comprehensive survey of 1,300 companies conducted in the fall of 2018.
