Hiscox report shows increasing cyber losses for businesses targeted by various cyber risks. The study found losses stemming from cyber security threats had grown almost six-fold, jumping from a median cost of $10,000 to $57,000 per company within the reported period. However, firms also stepped up their cyber security spending by 39% to keep up with the increasing threats. Contrarily, the number of businesses targeted fell from 61% to 39% during the same period. The study analyzed 5,569 companies from both the private and public sectors in the U.S., UK, Germany, France, Belgium, Spain, Ireland, and the Netherlands.
Key findings of the Hiscox report
The report ranked each firm based on its security strategy and execution. Results showed that companies’ readiness increased from 10% to 18% with some firms achieving expert status. The rise in cyber security expenditure was contrary to the previous two years, where cyber security spending was falling.
The report also showed that one in six firms attacked paid a ransom. The most expensive loss by a single company, which involved ransomware and other cyber events, amounted to $50 million.
Higher spending was associated with increased expertise, according to the Hiscox study. Higher ranking firms had an average cyber security expenditure of $4.2 million within 12 months. In contrast, poorly performing firms spent an average of $1.3 million over the same period.
Regardless of whether a ransom was paid or not, firms that faced a ransomware attack spent twice as much as those that had early detection mechanisms. This factor contributed to increasing cyber losses associated with cyber attacks.
The number of firms that purchased cyber insurance products because of a previous cyber security incident increased from 9% to 20% over the last three years. An indication that companies are anticipating more cyber losses and taking precautionary measures.
26% of the firms surveyed said they had a standalone cyber insurance policy. In contrast, 18% said they would purchase a standalone cover or add it to their existing insurance policies. This acknowledgement shows firms were becoming increasingly aware that cyber losses were a major concern just like traditional threats such as fire accidents.
Cyber security spending increasing over the years
Firms increased the amount they spend on cyber security from $1.47 to $2.04 million, representing a 39% increase. Similarly, 72% of the firms plan to increase cyber security spending by 5% the next year, compared to 67% the previous year.
The number of firms that responded to a cyber security event by increasing security measures, cyber security spending, and employee training doubled over the same period.
French firms spent an average of $3.1 million, Spain $2.6 million, while the U.S. spent $2.4 million. Despite lagging on cyber security spending, UK expenditure increased from $900,000 to $1.5 million.
A quarter (25%) of the firms participating in the study spent more on employee training compared to only 11% of respondents the previous year.
Cyber losses rising despite an increase in cyber security spending
Cyber losses increased from $1.3 billion to almost $1.8 billion during the period studied. UK financial services firms were the biggest losers with a total amount of $87.9 million. The UK also had the highest loss from a single event affecting a professional services firm and costing $15.8 million. Irish firms had the highest median costs of $103,000. The most targeted industries were financial services, manufacturing, technology, media and telecoms. The report also stated that the reported cyber losses could be much higher than the current figures.
Larger firms are the most targeted
Over half (51%) of larger firms with 1,000 or more employees reported at least one cyber incident occurring compared to 39% of all the firms analyzed during the study. Larger corporations also had the most incidents and breaches with a median of 100 and 80, respectively.
The increasing costs of cyber losses despite the reduction in the number of firms targeted implies that cyber attacks were becoming more strategic by targeting the most critical areas of the most lucrative businesses. This explains why threat actors mostly focused their attacks on larger firms compared to small businesses.