How companies view their cyber exposure, and how they deal with it

The 2018 Travelers Risk Index found cyber risks are the No. 2 concern across all business sizes and industries, and the percentage of businesses reporting they have been the victim of a cyber attack has doubled. Despite all of this and the fact that 52 percent of respondents believe that suffering a cyber attack is inevitable, a majority of those surveyed reported not taking adequate steps to protect themselves.

view cyber exposure

In the Travelers’ survey of more than 1,200 business leaders representing a range of industries and company sizes, 91 percent reported being confident their companies have implemented best practices to avoid a cyber event. But despite their confidence, the same leaders also indicated that:

  • 55 percent have not completed a cyber risk assessment for their businesses
  • 62 percent have not developed a business continuity plan
  • 63 percent have not completed a cyber risk assessment on vendors who have access to their data
  • 50 percent do not purchase cyber insurance.

“Cyber risks carry serious consequences for any business, threatening everything from revenue to operations,” said Tim Francis, Enterprise Cyber Lead at Travelers. “These findings reveal some surprising things about how companies view their cyber exposures, their relative confidence in dealing with them and the clear opportunity that exists for them to be better prepared for a cyber attack.”

Other key findings include:

  • The percentage of respondents who think the current business environment is more risky continues to decrease. In 2018 it was 36 percent, compared to 41 percent in 2016 and 48 percent in 2014.
  • Overall, the concern about cyber risk is second only to medical cost inflation, however, it is the top concern of large businesses and in sectors such as technology, banking and professional services.
  • The percentage of businesses that have been the victim of a cyber attack has increased. In 2015, 10 percent of study participants said they had been a cyber victim; that number has doubled in 2018.
  • Compared to last year’s survey, the three biggest cyber concerns remain the same: security breach, system glitch and unauthorized access to bank accounts.
  • Three other cyber-related concerns – operational software systems being remotely hacked, not having the resources to recover from a cyber event and cyber extortion – saw a jump of at least 5 percentage points from last year.

Over the past few years, multiple third-party reports have shown that small businesses suffer the majority of cyber attacks, yet these businesses are the most likely to report not having cyber insurance coverage. Although small businesses may be a frequent target, 74 percent of survey respondents from small businesses said they did not purchase cyber insurance.