Cyber attacks: Need for action by boards of directors

The threat of cyber attacks is growing. Large companies are particularly affected: 45 percent of companies with over 250 employees have already been the victim of a cyber attack at least once. This is shown by the latest swissVR Monitor, a biannual survey conducted by the swissVR Board of Directors Association in cooperation with the auditing and consulting firm Deloitte Switzerland and the Lucerne University of Applied Sciences and Arts. For the study, 400 board members were surveyed on the focus topic of "cyber resilience".

In contrast to large companies, SMEs seem to be significantly less affected: Only 18 percent of companies with under 50 employees report a serious attack. The correlation between company size and the frequency of attacks is obvious: large companies are more exposed globally and offer cyber criminals larger attack surfaces. Another explanation for the supposedly lower level of concern among smaller companies is the partial lack of reporting of such incidents to the board of directors.

Business interruption is the most common consequence

Cyber attacks often have serious consequences for business operations. By far the most frequent consequence is a business interruption. This is the case for 42 percent of companies affected by a cyber attack (see chart 1). The operational processes of companies in the information and communications technology sector are particularly at risk. In this sector, 69 percent of those affected experienced a business interruption. Data leaks and malfunctions of products or services are also frequent consequences. In some cases, cyber attacks even have consequences outside the company itself: 11 percent of respondents complain of follow-up attacks on customers. Although the outflow of assets is rare, the financial consequences should not be underestimated. In addition to lost sales due to business interruptions, there is the threat of high follow-up costs, for example for the recovery of data.

Resilience to cyber attacks is gaining strongly in importance

The far-reaching consequences make it clear: every SME must deal with cyber risks. "The topic is now an integral part of good corporate governance. Fortunately, many companies have already recognized this. But there is definitely still potential. Our survey shows that cyber resilience is gaining strongly in importance across all industries. This must also be reflected in every company's risk management and strategy process," says Mirjam Durrer, a lecturer at Lucerne University of Applied Sciences and Arts at the Institute of Financial Services Zug IFZ. Ninety-five percent of the board members surveyed believe that the importance of cyber resilience for their company has increased over the past three years. The majority even observe a strong increase, whereby the assessment depends significantly on the size of the company. Here, too, the correlation of size and threat level is reflected.

Cyber security is not yet a top priority everywhere

On the positive side, according to their own statements, boards of directors largely perform their duties with regard to cyber resilience. 85 percent of respondents affirm that their board follows trends and current developments in the area of cyber resilience (see chart 2). Eight out of ten boards also have a risk policy that addresses cyber threats. Nevertheless, there is a need for action, emphasizes Klaus Julisch, Head of Risk Advisory at Deloitte Switzerland: "Awareness of the risks is increasing, which is positive. Apart from that, the topic has not yet reached the boards of directors everywhere. Also, almost half of the companies lack a clear cyber strategy. Swiss companies and their boards of directors must therefore take even more responsibility with regard to cyber resilience."

Only one third rehearse the emergency

There is also room for improvement in emergency preparedness. Only one in three board members confirms that the board rehearses crisis management at least in part. The picture is somewhat better in the financial industry: around one in two companies in this sector conducts regular crisis training. In addition, the financial industry has the highest proportion of cyber insurance policies, at 58 percent.

There is also room for improvement in reporting to the board of directors: only about one-third of respondents are regularly informed by management about the top cyber risks or their own cyber strategy. A good half of the boards of directors receive reports on the general threat situation, current cyber attacks in the company or the need for action and investment to strengthen cyber resilience.

Source: Deloitte