Cyberthreats top 2021 Travelers Risk Index

A majority of business leaders are confident in their cybersecurity, but less than half have adopted basic preventative measures.

“What we see in our claims, particularly in ransomware events, is that over 90% of the time, it comes back to the fact that the company didn’t have multifactor authentication either configured at all or broadly across its network. We see that same lack of control being exploited over and over again,” says Tim Francis, of The Travelers Indemnity Co. (Credit: welcomia/Shutterstock.com)

Cyberthreats are once again the leading business concern after taking a backseat to economic uncertainty in 2020, according to the 2021 Travelers Risk Index, which found just shy of 60% of business leaders said digital risks keep them up at night.

The other leading risks on this year’s index, both cited by 53% of respondents, were medical inflation and increases in employee benefit costs, according to Travelers. Among cyber risks, security breaches, system glitches and unauthorized access to bank accounts were the most cited threats.

Although 61% of business leaders surveyed said they feel “extremely or very” confident in their company’s cyber practices, fewer than half have adopted basic preventative measures available to them, such as multifactor authentication. This is despite cyberattacks increasing in frequency and severity, Travelers reported, noting that one-fourth of respondents have already been the victim of a cyberattack. Further, 55% of companies believe it is inevitable that they will be the victim of a data breach or cyberattack.

“These companies are admitting they aren’t as prepared as they could be, and maybe as they know they should be if over half expect something bad to happen to them,” points out Tim Francis, enterprise cyber lead at Travelers.

So what is driving this clear disconnect? Francis tells Propertycasualty360.com there isn’t a single answer to that question.

Much of the gap is driven wider by the availability of resources a company can earmark for cybersecurity. However, some of it is also propelled by misconceptions around preventative measures and their costs.

For example, 52% of respondents haven’t deployed multifactor authentication for remote access to systems.

“What we see in our claims, particularly in ransomware events, is that over 90% of the time, it comes back to the fact that the company didn’t have multifactor authentication either configured at all or broadly across its network. We see that same lack of control being exploited over and over again,” Francis says. “For most companies, it isn’t terribly hard to set your systems up to require multifactor authentication.”

Although the risks might be underappreciated to some extent, particularly in smaller businesses, company owners are starting to catch on as more than half (56%) said they purchased a cyber insurance policy. In 2018, just 39% said the same.

“There has been an evolution, and I’m glad to see the percentage of businesses with cyber insurance increase, but there is still too much of a gap between what I would expect it to be and what it is,” Francis says.

He explains that in addition to being a relatively new product for many businesses, there also remain misperceptions about what purposes cyber insurance was designed for.

“There is a linger perception that cyber insurance deals with issues related to data breaches or access to personal identifiable information, which it does,” Francis says. “What is underappreciated is that if you purchase cyber insurance, in the best cases, you aren’t just purchasing access to an insurance policy. You are also gaining access to an organization that can help you with these other things, like access to best practices and help understanding why multifactor authentication is better or why EDR (endpoint detection and response) is a better standard than regular antivirus software.”

Related: