Advisen Ltd and Zurich have partnered for a fourth consecutive year on a survey designed to gain insight into the current state and on going trends in information security and cyber liability risk management. Invitations to participate were distributed via email to risk managers, insurance buyers and other risk professionals. The survey was completed at least in part by 507 respondents.
The majority of respondents classified themselves as either
- Member of Risk Management Department (not head) (38%)
- Chief Risk Manager/Head of Risk Management Department (33%)
Respondents with more than 20 years of risk management and insurance experience represented the largest group at 39% of the total, followed by 25% with between 11 – 20 years, 18% with 5 years or less, and 17% with between 6 – 10 years.
A summary of the survey is below.
Perception of Cyber Risks
Respondents’ perception of cyber risk is largely unchanged from last year with 88% considering cyber and information security risks to be at least a moderate threat to their organization. Respondents do however believe that board members and executive management are viewing cyber risks more seriously.
“In your experience, are cyber risks viewed as a significant threat to your organization by:”
- 64% said “yes” for Board of Directors (54% in 2013)
- 72% said “yes” for C-Suite Executives (6% in 2013)
Perception of risk varies based on size of business. Although studies have suggested that small companies are targeted as frequently, if not more so, than larger companies, as a group they continue to view cyber risks less seriously. In response to the question
“How would you rate the potential dangers posed to your organization by cyber and information security risks?”
- 81% of the smallest companies (revenues less than $250 million) consider cyber risks to be at least a moderate danger
- 93% of the largest companies (revenue greater than $10 billion) consider them to be so.
Consistent with last year’s study, on a scale of one to five, with 5 as very high risk and 1 as very low risk, “damage to your organization’s reputation resulting from a data breach” is the biggest concern of respondents with 64% rating it a 4 or 5. This was closely followed by “incurring costs and expenses from a cyberattack” with 62%, and “privacy violation/data breach of customer records” with 61%.
In contrast, the exposure perceived as the least risky was “theft or loss of customer intellectual property” with 43% rating it a 1 or 2. This was followed by “business interruption due to customer cyber disruptions” with 33%, and “employment practice risk due to use of social media” with 32%.
Data Breach Response
Over the past year, huge and highly recognizable U.S. businesses have fallen victim to some of the largest data breaches in history. These breaches are proof that even those with the most sophisticated information security practices and infrastructures are vulnerable to a cyber-attack. Some suggest that corporate data breaches are no longer an “if” or even a “when” proposition, but rather “how bad” will the inevitable breach be. When a breach does occur, research suggests that organizations that have data breach response plans in place prior to a breach, fare much better than those who do not.
“Does your organization have a data breach response plan in the event of a data breach?”
- 62% said yes
- 14% said no
- 24% did not know
“In the event of a data breach, which department in your organization is PRIMARILY responsible for assuring compliance with all applicable federal, state, or local privacy laws including state breach notification laws?”
- IT – 38%
- General Counsel – 21% received the highest percentage of the responses.
Information Security and Cyber Risk Management Focus
Consistent with the 2013 survey, 80% claim that information security risks are a specific risk management focus within their organization. Larger companies are slightly more likely to make it a focus with 83% of companies with revenues in excess of $1billion doing so, compared with 77% with revenues under $1billion. However, the 6% point difference between small and large companies is significantly less the 17% difference from a year ago.
The difference is even more significant when comparing the largest companies (revenues of $10 billion or greater) and the smallest companies (revenues of $250 million or less), with 92 % of the largest companies making information security a risk management focus compared with only 72% of the smallest companies.
For a second consecutive year, the percentage of respondents with a multi-departmental information security risk management team or committee has declined, 52% have an information security risk management team or committee which is down from 56% in 2013, and 61% in 2012. Although statistically still within the margin of error, this is a potential trend worth following. As in previous years, however, this varies materially based on the size of company with 58% of larger companies ($1billion in revenue or greater) claiming to have this team or committee compared to 42% of smaller companies (under $1billion in revenue).
The departments most likely to have representation on the information security risk management team are:
- IT – 90%
- Risk Management/Insurance – 73%
- General Counsel – 63%
- Compliance – 55%
- Internal Audit – 47%
- Treasury or CFO’s Office – 40%
- Chief Privacy Officer – 36%
- Marketing – 10%
- Investor Relations – 6%
- Sales – 5%
- 9% Didn’t Know
- 15% said Other
- The most common write-in responses under “Other” were Operations and Security
The IT department is still acknowledged as the front line defense against information losses and other cyber liability risks. In response to the question “Which department is PRIMARILY responsible for spearheading the information security risk management effort?”
- 69% responded IT
- 11% Risk Management/Insurance
- 5% responded Other. The most common other being Information Security
Social media provides businesses with an array of benefits such as increasing brand awareness, promoting products, and providing timely support. It also exposes organizations to a degree of risk, such as the potential for reputational damage, privacy issues, infringing other intellectual property, and data breaches.
“Does your organization have a written social media policy?”
- 74% responded yes
- 17% no
For a third consecutive year respondents were asked questions on cloud services. Thanks to its cost effectiveness and increased storage capacity, cloud services have become a popular alternative to storing data in-house. Warehousing proprietary business information on a third-party server, however, makes some organizations uncomfortable due to the lack of control in securing the information. Nonetheless, security concerns continue to be outweighed by the benefits.
“Does your company use cloud services?”
- 66% responded yes, up from 55% last year, and 45% in 2012.
“Is the assessment of vulnerabilities from cloud services part of your data security risk management program?”
51% responded yes – consistent with last year
“Does your organization have a mobile device security policy?”
- 74 % said yes
- 15 % said no
- 13 % did not know
Larger companies continue to be more likely to have such a policy with
- 82 % of large companies ($1 billion or greater) responding yes
- 62 % of smaller companies ($1 billion or less).
The use of personal handheld devices for business purposes is increasingly preferred by employees and allowed by employers. These non-company controlled devices, however, are accessing proprietary corporate information and frequently exposing organizations to a higher degree of risk.
“Does your organization have a bring your own device (BYOD) policy?”
- 47% responded yes which is consistent with last year’s response.
The Role of Insurance in Information Security and Cyber Risk Management
The upward trend in the percentage of companies purchasing cyber liability insurance plateaued in 2014.
“Does your organization purchase cyber liability insurance?”
- 52% responded yes
- 35% said no
- 13% did not know
Of the respondents who purchase coverage
- 32% have purchased it for less than two years
- 47% between three and five years
- 22% for more than five years
- The percentage of companies who buy coverage for loss of income due to a data breach dropped slightly from 54 % in 2013 to 48 % this year.
Finally, respondents that do not currently purchase cyber insurance were asked “Are you considering buying this coverage in the next year?” 54% said yes. This was only a one percentage point increase from 2013.
The full survey can be found here.