VIEW 32 Cyber incident under-reporting

32. Cyber incident under-reporting

Many small and medium sized enterprises (SMEs) believe that a cyber incident is unlikely to happen to them because it is only big companies that are targets. Certainly, going by what is reported in the press, this might appear to be the case. However, an interesting white paper published in 2018 by AIR Worldwide, a risk modelling company, refutes this. The paper describes the AIR Probabilistic Cyber Model from which the data in the diagram is derived.

The blue line shows the incidents reported in the press. It is clear that unless the company’s revenues are greater than $100m the press will not consider it a newsworthy story. However, just because SME incidents are not hitting the headlines, it does not mean that they are not happening. If you examine the claims data, you can discover the real story which is that plenty of SMEs ⁽⁸⁾ are getting hit by cyber criminals, even companies with revenues of $1m.

32. Cyber incident under-reporting

SMEs do need cyber insurance
Notice that the left-hand scale shows breach likelihood. It seems that the likelihood of suffering a breach is broadly the same whether your revenues are $1m or $100m. Since there are a lot more small companies than big ones, there must therefore be a large number of small companies suffering cyber-attacks. The gap between the orange and blue lines shows the extent of underreporting in the press.

There is one other point to make. For a company to make a claim they must have had a cyber insurance policy in the first place. We also know that SME’s are generally underinsured when it comes to cyber. So, the claims data is understating the problem. The message to SMEs is that getting cyber cover is a good idea.