Australian risk managers feel less resilient to a targeted cyber attack than to a pandemic or terrorist outrage

Padlock, cyber

In a StrategicRISK Australian survey, risk managers were asked to rate their companies’ resilience to a selection of 35 risks. Bottom of the list – in the unenviable spot of ‘least resilient’ – was targeted cyber attack.

In other words, risk managers feel less prepared and able to mitigate and manage a cyber attack than they do a pandemic or a terrorist attack, which ranked 31st and 32nd respectively.

These results surprised RIMS Australasia board member and former chief risk officer for Scentre Group, Eamonn Cunningham.

“I would’ve thought that most organisations would be much more resilient to a targeted cyber attack than they would to a broad-based pandemic situation, and if they’re not, they certainly should be,” he said.

“To some extent that correlates with the low take- up thus far of cyber insurance,” he added.

But XL Catlin Australia boss Robin Johnson said cyber’s lowly position showed that companies were finally taking the risk seriously. “That’s quite reassuring in a strange way because if you talked to clients at board level several years ago, or even a couple of years ago, they would not have understood how open they were to cyber attacks.

“Risk managers were being told that it wasn’t really their area, that it was IT that should be responsible for it. The fact that it’s now being much more actively managed by the risk department is extremely positive. It’s a boardroom issue now and directors are ensuring that they ask the right questions to get a handle on how they deal with it.”

According to The Cranfield School of Management, resilient companies have “exceptional radars that help the organisation consider risks in aggregate, collate different types of information and respond effectively in a controlled and considered manner”. Using this definition, Australian risk managers feel most resilient about their corporate social responsibility programme.

Coming close behind in the resilience list were product defect/recall, injury to workers, fire or damage to property and directors’ liability. Each of these risks is typically covered by insurance.