Product Family

Another day, another headline about a high-profile hack or data breach. The media and public take notice when consumer data have been compromised. And with the threat of litigation and massive losses, companies are paying more attention than ever to cybersecurity growing and are beefing up how much they spend in cybersecurity every year. According to a survey of executives and IT/security directors from 250 small and mid-size enterprises (‘SMEs’), conducted by IT research and advisory company 451 Research, more than 80 percent of the SMEs reported they were planning to increase their cybersecurity budgets by 14 percent in 2019.

Sure, it’s better to allocate more money to protect your customer’s data and the integrity of your systems. But a budget amount isn’t meaningful in and of itself.

In a recent study, Forrester found that cybersecurity budgets generally break down into the three following categories:

  • Up to 10 percent of the IT budget: included 31 percent of companies in both the financial services & insurance industry and the public sector & healthcare industry.
  • 11 to 20 percent of the IT budget: included 40 percent of companies in the retail & wholesale industry.
  • 21 to 30 percent of the IT budget: included 32 percent of companies in the utility & telecommunications industry.

So, does that mean industries like insurance and healthcare are at greater risk of data breaches while utility and telecoms are locked down tight?

Yes. And no. Well, maybe.

A company’s cybersecurity budget only tells part of the story. When it comes down to looking at those budgets, there are also a few things to consider above and beyond the dollar amount when trying to understand if a company is appropriately invested against cyber attacks. Has the organization:

  • Developed a clearly defined and detailed cybersecurity budget? Rather than just the amount, a clearly detailed budget will help understand where and how resources are being allocated.
  • Modified its budget following a significant cyber incident? If an organization has not adjusted its budget following a significant incident, such as by reprioritizing resources or security solutions, this could suggest a lack of awareness about its current and future vulnerabilities.
  • Significantly increased or reduced its cybersecurity budget from the previous year?
  • Increased its cybersecurity budget as part of an acquisition or merger? During M&A it is important to ensure that a firm’s cybersecurity budget includes resources to manage the integration of the different companies’ IT systems and security processes.

And beyond budget, is the company doing the right things? For example, does the organization:

  • Have a clear risk management process? An organization’s ability to respond to a cyber incident is not just determined by how much money it spends on security but about whether it understands and addresses its risk exposure and potential vulnerabilities.
  • Take proactive measures to prevent cyber incidents? Implementing proactive measures, like multi-factor authentication, offline and tested backups, and network segmentation, can reduce an organization’s vulnerability to or reduce the damage caused by a cyber incident. 

A company’s cybersecurity budget tells only part of the story when it comes to whether or not the company is prepared for a cyber attack or other event.

To learn more about this subject, check out the S-RM and AXA XL Cyber team’s whitepaper. Cybersecurity budgets: What do they really convey about maturity?


More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.