BS... That is way to over optimistic, I'd reverse that figure
50% of companies don't have a plan, 40% have an untested one, whilst 10% have a tried and tested..
Then there is the question of how prepared are they to detect an attack, over the past 4 years I've worked at 3 different companies, only 1 of them was properly prepared. My current company (its in the FTSE) doesn't even have an IPS/DPS or EndPoint Security on their customer facing infrastructure (its AWS, .. doing security like its 1999!). If we got hit, we would never detect - though thankfully we are now changing that.
And the one that was properly prepared, was a SME company with about 200 staff... which ironically went backrupt (hmm perhaps I overspent?!)
A/C to protect the innocent.. and my job :D