Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Cyber Insurance

Cyber insurance: trying to quantify risks

Bloomberg Intelligence August 24, 2015

This analysis is by Bloomberg Intelligence analysts Charles Graham and Edmond Christou.  It originally appeared on the Bloomberg Professional Service.

Personal data theft, cyber-attacks whet appetite for insurers

The value of personal data stored on corporate databases is rapidly increasing. For EU citizens it is set to reach 1 trillion euros ($1.4 trillion) by 2020, according to Boston Consulting Group. This is raising the need for greater protection. The increased incidence of data breaches and misuses as hackers become more sophisticated has also imposed greater regulatory requirements on businesses. Companies are seeking new products from insurers to limit the cost of interruption, reputational damage and penalties.

Companies Impacted: While cyber risk potentially affects many classes of business, there are a number of providers including AIG, Allianz, Munich Re, Swiss Re and Zurich Insurance Group, as well as specialist insurers like Beazley and Hiscox, which have developed specific cyber products.

Photographer: Craig Warga/Bloomberg

Insurers view industry as ill-prepared for risk of cyber theft

Cyber theft is top of the list of risks for which businesses are least prepared, according to Allianz’s 2015 Risk Barometer Survey. Companies need to understand the potential effect of a cyber-attack on their supply chain, the liability they could face if they can’t deliver products on time and the legal penalties if they lose customer data. While computer systems can be improved, it is impossible to make them entirely secure. This is creating opportunities for insurers.

Companies Impacted: Allianz’s 4th Risk Barometer Survey was conducted among global businesses and risk consultants, underwriters, senior managers and claims experts within Allianz in October and November 2014. Insurers offering cyber-risk cover include AIG, Allianz, Zurich, Beazley and Hiscox.

Swelling cyber-attack costs are driving wider insurance coverage

The average cost of a data breach has increased to $3.79 million, according to a study by the Ponemon Institute based on a survey of 350 companies in 11 countries. This cost has increased by 23% since 2013. The average cost for each lost or stolen record containing sensitive information rose to $154 this year from $145 in 2014. Concerns about data breaches and privacy have led to legal reforms in the U.S. and Europe, which may help drive demand for cyber-insurance.

Companies Impacted: Increasing cyber-attacks have driven insurers such as AIG, Allianz, Beazley, Hiscox and Zurich Insurance, to expand their product offerings to include first- and third-party coverage for cyber-risk.

Retailers face biggest threat from cyber theft, data breaches

Retailers face the biggest threat from data breaches, according to figures compiled by Zurich Insurance. The food and beverage industry is second in line for hackers followed by hospitality, finance and professional services. Carphone Warehouse discovered on Aug. 5 that personal data of 2.4 million of its customers and encrypted credit card details for 90,000 clients may have been accessed in a data breach. Insurers are tailoring products to meet different industries cyber risks.

Companies Impacted: Insurers work with companies to identify best practices in data privacy and security to help to minimize the financial cost should a breach occur. AIG, Allianz, Beazley, Hiscox, Zurich Insurance are among the companies to have developed cyber-insurance coverage.

Die hard 4.0 cyber scenario could cost more than $1 trillion

A cyber-attack on the U.S. power grid could cost $243 billion rising to more than $1 trillion in the most extreme scenario, according to a study by Lloyd’s of London and the University of Cambridge. The report examines the insurance implications of a major cyber-attack. It depicts a scenario where hackers shut parts of the grid, plunging 15 U.S. states and Washington DC into darkness, leaving 93 million people without power. Insurers are just starting to wake up to the scale of potential losses.

Companies Impacted: Cyber-insurance risks are widely underwritten at Lloyd’s with 47 managing agents offering cover, including quoted groups Beazley, Hiscox and Novae. Lloyd’s introduced new risk codes for data and privacy breaches and cyber-related property damage in 2015.

Swiss re joins forces with IBM to fight cyber threat

Munich Re has partnered with Hewlett-Packard and Swiss Re with IBM to develop solutions that offer clients cyber protection and provide support in the event of a security breach. IBM will assess clients’ external and internal vulnerability to cyber-attacks and offer options for mitigating these risks. IBM’s security platform provides intelligence to help organizations protect their clients’ data, applications and infrastructure.

Peer Comparison: Swiss Re’s Corporate Solutions business is one of a number of insurers offering cyber coverage. Other companies include AIG, Allianz and Zurich Insurance.

Advertisements

Cybersecurity: The Looming And Growing Threat

Corporate legal spending on cybersecurity issues hit $1 billion last year, according to the BTI Legal Spending Outlook. It’s easy to see where this money is going: By 2018, more than 50% of organizations will use outsourced providers for security, Gartner predicts.

Here are seven trends expected to impact CIOs, law firms, and their clients in the year ahead:

1. Banking on IT and law firms vulnerability

In the wake of last year’s cyberattack that affected 80 million J.P. Morgan Chase customers, several banks asked their law firms to implement stronger security measures. Today, several banks and major U.S. law firms are collaborating to create a formal group by year end where they can share best practices with each other and government agencies.

“Law firms increasingly are seen as potential weak links,” the Wall Street Journal reported. “Clients often entrust them with everything from valuable trade secrets to market-moving details on mergers and acquisitions.”

2. Data breaches growing more common

More than one-quarter (27%) of chief legal officers reported a data breach within the past 24 months, according to the Association of Corporate Counsel‘s recently released 2015 CLO Survey. Healthcare CLOs were most vulnerable: almost half reported a breach in the last two years, compared with approximately one-fourth among CLOs in other lines of business, the report found.

4. Changing Regulatory Landscape

This year, the European Union is expected to unroll more stringent disclosure and liability requirements that it will start enforcing in 2016. This could lead to a business boom for law firms, will likely also necessitate educational outreach: 77% of European companies surveyed by security developer Sophos did not know whether or not they were compliant with current standards.

Across the pond, President Barack Obama also has called for changes to the Computer Fraud and Abuse Act, the federal anti-hacking statute.

5. Crashing Mobile

Today, 96% of lawyers at firms with 100 or more attorneys use a smartphone, according to the American Bar Association’s annual Legal Technology Survey. And 49% of all lawyers surveyed use a tablet, the report found.

This makes attorneys vulnerable to a growing number of viruses, spam, and attacks specifically targeting mobile devices. If unprotected by even a basic password or biometric safeguard, lost devices leave a firm vulnerable to stolen data. Across industries, only 54% of respondents implemented a mobile security strategy in 2014 compared with 42% the prior year, a PricewaterhouseCoopers study reported. In addition, 47% now use mobile device management (MDM) or mobile application management (MAM), versus 39% in 2014, PwC said.

Across all industries, 46% of IT decision makers plan to increase security spending for mobile this year, Ernst & Young determined.

Advances in wearables and future decisions in how and whether healthcare can incorporate data from devices such as fitness monitors will further complicate mobile security for firms involved in these areas and the CIOs who support them.

5. Insurance at a Premium

Organizations increasingly invest in cybersecurity insurance, to lessen the potential impact of a breach, network damage, or business interruption. Once offered by only a handful of specialized firms, these plans now are available from a wide array of insurers.

To attain cybersecurity insurance, organizations typically must undergo audits and other processes to assure the insurer of the firm’s viability. CIOs, in partnership with governance, risk-mitigation, or the COO, are then assured both of the caliber of the firm’s existing security set-up and of financial coverage should the unwanted occur. Cybersecurity insurers include: AIG; Chubb Group of Insurance Companies; Marsh USA; Philadelphia Insurance Companies, and Travelers Indemnity Co., among many.

6. Ignore Social Niceties

Many law firms hire outside experts to conduct vulnerability assessments and craft strategies to combat Many experts advise staff to frequently reset passwords that contain symbols, capital letters, and numbers. And best practices must address common phishing scams, especially those targeting corporate or client contact information or employee data. Fake apps, fraudulent social media contacts, and hackers masquerading as maintenance staff are all favorite guises for social engineers.

7. All for One, One for All

Security is not exclusively the CIO or CSO’s responsibility. Rather, security must be weaved throughout a law firm so every employee, partner, and attorney cares and acts with security in mind. Communication between departments to ensure security procedures are effective but not onerous help develop a security conscious environment.

Frequent reminders, via screensavers, automated systems, brief self-paced videos, or occasional webinars – remind everyone about security measures. Quickly responding to users’ needs to avoid rogue setups further eliminates vulnerable areas.

Author:

TAKE UP OF CYBER INSURANCE REMAINS LOW

Marsh has undertaken an in-depth study into organisations’ attitudes towards the cyber threat, the management control processes they have in place, and their understanding and use of cyber insurance as a means of risk transfer. The benchmarking data in this report was collected from risk professionals and CFOs from large and medium-sized corporations from across the UK.

Spotlight on cyber risk to UK companies:

  • 18% of organisations have a “complete understanding” of cyber risk, down on last year
  • 4% of UK businesses have board-level oversight of cyber risk
  • 4% of companies do not assess their suppliers and/or customers for cyber risk

Firms across the UK continue to place cyber among their leading risks in terms of the likelihood and severity of impact; however, suggest there is still a lot of work to do to improve understanding and management.

Interestingly, there has been a substantial drop in the percentage of respondents who feel they have a “complete understanding” compared to last year (down from 34% to 18%).

This comes at a time when cyber risk is being elevated as a board agenda item, suggesting that executive-level interrogation has exposed a pre-existing overconfidence in the level of knowledge and understanding within certain organisations.

If this is the case, then it is clear those tasked with creating and delivering critical management information relating to cyber risk need more help and guidance to get them to a position where the level of management information is adequate.

Cyber risk is ranked as a tier one threat according to the UK National Security Strategy, and it is therefore surprising that 26.4% of UK companies surveyed do not consider it to be material enough to even get on the risk register. Just 16.6% of companies place cyber as a Top five risk on the risk register, while the remainder place it outside of the Top 10.

73% of respondents from the manufacturing industry say that cyber risk does not appear in the Top 10 risks on their corporate risk registers, the highest proportion of industry segments we surveyed.

This is perhaps understandable due to a low level of high-profile cyber incidents within the industry; however, as a key target for industrial espionage, and with instances of industrial control technology being compromised recently reported, one could argue that the threat is being underestimated.

The fact that fewer than 31.9% of respondents have identified one or more cyber scenarios that could most affect their organisations suggests that the lack of a complete understanding and absence/low positioning of cyber on the risk register is, for many companies, filtering through to a lack of definition around specific scenarios that might impact their businesses.

Board-level ownership of cyber risk exists in 19.4% of UK organisations. While this figure is broadly in line with last year’s findings (20%), it remains very low. Meanwhile, IT departments continue to take primary responsibility for cyber risk in 55.5% of organisations. Cyber risk is increasingly recognised as a business risk rather than simply a technical control, and, within this context, it is disappointing to note that there is no material upwards movement in risk management and board functions seizing responsibility from IT (the percentage has risen incrementally to 15.3% from 14% in 2014). IT departments might know how to implement cybersecurity; however, the inability of IT to drive value for the organisation or the potential for significant damage to be caused as a result of a security breach, most certainly is a business risk, the consequences of which will be felt at the highest levels of the organisation should it occur.

Boards therefore need to take ownership of cyber risk before a cyber event forces it on to the board agenda, and communicate the identified security priorities to IT departments so that they can align their activity and resources against the business’s risk management agenda.

Lack of data continues to prevent companies from adequately assessing cyber risk

The percentage of firms that have experienced a cyber-attack in the past 12 months has risen to 40.3%, albeit marginally (from 31% in 2014).

However, compared with other statistics (HM Government’s 2015 Information Security Breaches Survey states that 90% of large organisations and 74% of small organisations have suffered a security breach), this figure is still low, indicating that many of the respondents to this year’s survey are either particularly fortunate or (more likely) unaware of breach events within their firms.

Interestingly, 100% of respondents in two industries, communications, media, and technology and energy reported that they had been subject to a cyber-attack in the past 12 months. This most likely reveals a more enlightened position of those organisations rather than any high level of vulnerability.

In terms of organisations that have conducted or estimated the financial impact of a cyber-attack, this year’s survey results are somewhat contradictory to earlier findings. As such, it would be reasonable to question the rigorousness of the financial analysis around those numbers and how many are in fact high-level estimates rather than worst loss values calculated from detailed information and knowledge of cyber risk and individual exposures.

61.1% of organisations have not yet made any attempt to estimate/calculate loss estimates, however, suggesting that they are operating in the dark when it comes to the financial impact upon their businesses.

This puts them in a poor position to transfer the risk or even to appreciate whether a cyber event might threaten the viability of the company. Event modelling, combined with financial stress testing, is required to evaluate both the total financial loss attaching to an event and the shorter-term availability of cash to maintain trading.

The majority of organisations have not planned for sources of funding; however, the 48.9% that have is an encouraging number. Since just 11.1% of companies are buying insurance, it must be the case that companies are bypassing the insurance market and finding alternative methods to fund the risk (from available cash lines or lines of credit or assets that can be disposed of rapidly, for example).

Possessing and rehearsing an incident response plan is recognised as having a very positive effect on the operational, financial, and reputational impact of a cyber- attack upon an organisation.

The effect for breaches of personal data was quantified in the Ponemon Institute’s 2015 Cost of Data Breach Study, which reveals that those companies with an incident response team in place typically make a GBP £9.50 saving on the per capita cost of a data breach, compared with the mean per capita cost.

Lack of control over suppliers/third parties a major concern

It is both a surprise and a huge concern that 69.4% of respondents to this year’s survey do not assess the suppliers and/or customers they trade with for cyber risk.

Suppliers and external organisations with whom system links are shared present one of the key vulnerabilities to UK companies. Businesses have done a lot to improve cybersecurity in the past 12 months; however, their exposure to third parties, whether service providers, product suppliers, customers, or, in the case of banks, borrowers, presents significant risks to companies’ networks. In addition to this, 51.4% are not asked to demonstrate a competent standard of IT security practices to their own bank and/or customers in order to do business with them.

While organisations can control their own networks, they have much less control over those of the suppliers/third parties that they might be linked to. Without the appropriate checks, this leaves them exposed and lacking control over standards of IT security in systems where hackers might find a “back door” into their organisation.

There therefore needs to be an improvement in supply-chain resilience to cyber-attack if organisations are going to reduce the threat arising from this key vulnerability. This is especially true for large organisations with a profile that attracts highly motivated and sophisticated hackers who might identify smaller business partners that are typically less well protected. For example, a recent report published by Marsh and the UK Government highlighted that 22% of small businesses admit they “don’t know where to start” with cybersecurity.

One of the most well-publicised cyber breaches in recent years occurred at a large US retail company after hackers stole network credentials from a third-party heating, ventilating, and air conditioning (HVAC) contractor that had an IT link with the victim’s corporate systems. Incidents like these are likely to rise in frequency until organisations place greater focus on setting out the basic technical controls that all suppliers/ contractors should have in place.

More than half of respondents are not asked to demonstrate a competent standard of IT security practices to their own banks and/or customers.

Take up of cyber insurance remains low

52.8% of respondents’ organisations are engaged with the insurance market in one way or another. 

Marsh’s experience and earlier findings in this survey suggest that the remainder are not yet ready to approach the market as they have an incomplete understanding of the risk, as opposed to them making a conscious decision not to purchase insurance following a value-based judgment.

This latter explanation would tie in with the earlier finding that 68.1% of organisations have not identified one or more cyber scenarios that could most affect their organisations. Organisations such as these, because they have not carried out the financial assessment required are in a poor position to approach the insurance market and place a value on transferring the risk. The survey data therefore suggests that more work needs to be done by organisations and their professional advisers, including their insurance brokers, to help improve their understanding of cyber risk and their cyber exposures and demonstrate what value insurance can bring.

The insurance market continues to address the issues that represent organisations’ greatest concerns a standard cyber insurance policy can deliver cover against breach of customer information (31.9%) and business interruption (22.2%), while computer crime/fraud (12.5%) can be insured against via a comprehensive crime insurance policy. The insurance market is also making inroads to deliver meaningful cover for reputational loss (8.4%).

Of particular interest is that none of the respondents from the industrial sectors identified physical property damage as a priority risk, despite a lot of recent attention being given to the threat that exists to critical infrastructure and the potential for tampering with industrial control technology.

The findings suggest that companies recognise that cyber insurance is not a holistic solution in dealing with cyber exposure and that, in fact, it covers only certain specific events and outcomes.

Cyber exposure might attach itself to a number of different insurance policies that need to maintain an effective response when the loss or liability outcomes are created by cyber events. 48.6% of respondents admit to having “insufficient knowledge” in order to assess the insurances available, which may suggest a lack of insight into what can be insured by a cyber insurance policy. However, in view of the earlier findings, this figure might also indicate that a lack of understanding of their firm’s own risk profile places many respondents in a position where they are unable to make an informed judgment as to whether the cover is appropriate.

Cyber insurance is not a holistic solution in dealing with cyber exposure and covers only certain specific events and outcomes.

Marsh’s conclusion

Clearly, there is still a lot of work that needs to be done by UK organisations in order to improve their understanding and management of cyber risk. Achieving a high level of understanding is essential as it serves as the foundation stone upon which all other cyber risk transfer and mitigation decisions need to be made.

The solution to this lies in the boardroom, and it is still a great concern that the board takes primary responsibility for cyber risk in 19.4% of organisations surveyed. Only with board-level buy-in can companies take the big strides needed to advance their knowledge and perform the financial modelling required. Proper assessment and quantification of the risk will lead to better targeted mitigation, practical improvements in risk management, and the ability to judge the value of the risk transfer options available on the market.

One particularly interesting, and somewhat remarkable, finding to emerge from this year’s survey is 69.4% of respondents’ organisations do not assess the suppliers they trade with for cyber risk. Supply chains are proven to be a critical vulnerability in corporate IT networks, yet there appears to be too little work being done to ensure that the entities with which companies share system links are following basic good security practices.

This has to improve as, for all the proactive steps taken and money invested to harden corporate networks against cyber-attacks, a security breach at a contractor or service provider, for example, could potentially allow hackers to circumnavigate all of that.

The insurance industry can play and is already playing a role in that assurance process; however, more work needs to be done in order to move the security focus away from the edge of the corporate network and to the heart of strategic decision making.

The full report with the references can be found here.

The majority Of Risk Professionals Without Coverage Are Considering Purchasing Cyber Insurance

RIMS, the risk management society ™ has conducted its first Cyber Survey 2015 to explore strategies implemented by risk professionals including insurance investments, exposures, cyber security ownership, government involvement, as well as identification methods and response procedures.

Responses came in from 284 of RIMS U.S. professional members in various industries, with 58% of respondents coming from organizations that produce more than $1 billion in annual revenue.

RIMS said it conducted the survey, in part, to identify methods and response procedures used by its members. As well, the organization wanted uncover strategies in place addressing areas such as insurance investments, exposures, cyber security in order to uncover strategies used by its members against cyber threats, including insurance investments, exposures, cyber security ownership and government involvement.

RIMS President Rick Roberts said that the new information is intended to give “the global risk management community valuable insight, showing how organizations are trying to stay ahead of this top concern”

Key survey findings:

  • 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies.
  • The top three first party exposures reported are:
    1. 79% reputational harm
    2. 78% business interruption
    3. 73% data breach response and notification
  • 51% said their companies or organizations purchase standalone cyber insurance policies.
  • 58 percent of those with cyber insurance policies carry under $20 million in cyber coverage, and just under half of those said they pay more than $100,000 in premium.
  • 74% of respondents who said their companies lack cyber coverage are considering getting it within the next 12-24 months.

The Evolution of Cyber Risk – and ACE Infographic

Evolution of Cyberrisk 1evolution of cyberrisk 2

Cyber insurance is a major growth area for commercial insurers

The Insurance Information Institute (I.I.I.) conducted it’s 19th annual Property/Casualty Insurance survey and found Cyber-Crime is exposing businesses, both in the U.S. and abroad to greater levels of liability than ever before, which is why the market is far from saturated.

The survey’s key findings are below:-

  • 80% of executives said they see Cyber insurance as a major growth area for commercial insurers
  • 78% expect industry capacity (as measured by policyholder surplus) to increase in 2015
  • 72% believe the federal government is interested in further expanding its regulatory oversight of insurers
  • 56% believe the economy will accelerate; 6% believe it will decelerate and 38% believe it will remain about the same
  • 92% believe that M&A activity among insurers/reinsurers increase in 2015? For example the XL Group’s acquisition of Catlin for $4.2billion

The U.S. economy appears to be picking up steam, which translates into more economic activity and the addition of capacity. This means more businesses and people will need more insurance, implying further increases in insurance premium volume,” said Dr. Steven Weisbart, senior vice president and chief economist with the I.I.I. “Moreover, business bankruptcies in 2014 dropped below their lowest level in the last two decades, so the erosion of commercial accounts will continue to ease. As the economy inches closer to full employment, we may begin to see wage increases that outpace inflation for the first time in nearly a decade, primarily affecting the workers compensation line. Further, the low-interest rate climate, which has lasted longer than virtually everyone thought likely, is expected to begin a return to normality sometime in the second half of 2015. Absent devastating natural catastrophes, 2015 could be another profitable year for insurers

The sponsoring organizations of the Forum represent a broad range of insurance interests and audiences and include: ACORD, American Insurance Association, the Association of Bermuda Insurers and Reinsurers, The Geneva Association, Insurance Institute for Business & Home Safety, Insurance Information Institute, Insurance Institute for Highway Safety, International Insurance Society, National Association of Mutual Insurance Companies, National Council on Compensation Insurance, National Insurance Crime Bureau, Property Casualty Insurers Association of America, Property & Liability Resource Bureau, Reinsurance Association of America, The Institutes and Verisk Analytics.

Find the original article here.

Reducing Cyber Risk; Marine transportation system Cybersecurity standards, liability protection and Cyber Insurance

An article in the Coast Guard Journal of Safety & Security at Sea written by David Dickman, Diz Locaria and Jason Wool Container shipcontains a very interesting article “Reducing Cyber Risk; Marine transportation system cybersecurity standards, liability protection, and cyber insurance”.

An excerpt:

Within our nation’s marine transportation system (MTS), computers, information networks, and telecommunications systems support fundamental port and maritime operations.

While this technology provides great benefits, it also introduces vulnerabilities.

In several recent incidents, bad actors exploited cyber weaknesses within MTS elements with significant repercussions.

Some examples include:

  • Somali pirates have exploited online navigational data to choose which vessel to target for hijack
  • hackers incapacitated a floating oil rig by tilting it and forcing it to shut down
  • malware caused another drilling rig to shut down for 19 days, after bringing systems to a standstill
  • hackers infiltrated computers connected to the Port of Antwerp, located specific containers, made off with
    smuggled drugs, and deleted the records.

The full article can be found in the journal by clicking here.

Information Security and Cyber Liability Risk Management – a 2014 survey

Advisen Ltd and Zurich have partnered for a fourth consecutive year on a survey designed to gain insight into the current state and on going trends in information security and cyber liability risk management. Invitations to participate were distributed via email to risk managers, insurance buyers and other risk professionals. The survey was completed at least in part by 507 respondents.

The majority of respondents classified themselves as either

  • Member of Risk Management Department (not head) (38%)
  • Chief Risk Manager/Head of Risk Management Department (33%)

Respondents with more than 20 years of risk management and insurance experience represented the largest group at 39% of the total, followed by 25% with between 11 – 20 years, 18% with 5 years or less, and 17% with between 6 – 10 years.

A summary of the survey is below.

Perception of Cyber Risks

Respondents’ perception of cyber risk is largely unchanged from last year with 88% considering cyber and information security risks to be at least a moderate threat to their organization. Respondents do however believe that board members and executive management are viewing cyber risks more seriously.

“In your experience, are cyber risks viewed as a significant threat to your organization by:”

  • 64% said “yes” for Board of Directors (54% in 2013)
  • 72% said “yes” for C-Suite Executives (6% in 2013)

Perception of risk varies based on size of business. Although studies have suggested that small companies are targeted as frequently, if not more so, than larger companies, as a group they continue to view cyber risks less seriously. In response to the question

How would you rate the potential dangers posed to your organization by cyber and information security risks?”

  • 81% of the smallest companies (revenues less than $250 million) consider cyber risks to be at least a moderate danger
  • 93% of the largest companies (revenue greater than $10 billion) consider them to be so.

Consistent with last year’s study, on a scale of one to five, with 5 as very high risk and 1 as very low risk, “damage to your organization’s reputation resulting from a data breach” is the biggest concern of respondents with 64% rating it a 4 or 5. This was closely followed by “incurring costs and expenses from a cyberattack” with 62%, and “privacy violation/data breach of customer records” with 61%.

In contrast, the exposure perceived as the least risky was “theft or loss of customer intellectual property” with 43% rating it a 1 or 2. This was followed by “business interruption due to customer cyber disruptions” with 33%, and “employment practice risk due to use of social media” with 32%.

Data Breach Response

Over the past year, huge and highly recognizable U.S. businesses have fallen victim to some of the largest data breaches in history. These breaches are proof that even those with the most sophisticated information security practices and infrastructures are vulnerable to a cyber-attack. Some suggest that corporate data breaches are no longer an “if” or even a “when” proposition, but rather “how bad” will the inevitable breach be. When a breach does occur, research suggests that organizations that have data breach response plans in place prior to a breach, fare much better than those who do not.

“Does your organization have a data breach response plan in the event of a data breach?”

  • 62% said yes
  • 14% said no
  • 24% did not know

“In the event of a data breach, which department in your organization is PRIMARILY responsible for assuring compliance with all applicable federal, state, or local privacy laws including state breach notification laws?”

  • IT – 38%
  • General Counsel – 21% received the highest percentage of the responses.

Information Security and Cyber Risk Management Focus

Consistent with the 2013 survey, 80% claim that information security risks are a specific risk management focus within their organization. Larger companies are slightly more likely to make it a focus with 83% of companies with revenues in excess of $1billion doing so, compared with 77% with revenues under $1billion. However, the 6% point difference between small and large companies is significantly less the 17% difference from a year ago.

The difference is even more significant when comparing the largest companies (revenues of $10 billion or greater) and the smallest companies (revenues of $250 million or less), with 92 % of the largest companies making information security a risk management focus compared with only 72% of the smallest companies.

For a second consecutive year, the percentage of respondents with a multi-departmental information security risk management team or committee has declined, 52% have an information security risk management team or committee which is down from 56% in 2013, and 61% in 2012. Although statistically still within the margin of error, this is a potential trend worth following. As in previous years, however, this varies materially based on the size of company with 58% of larger companies ($1billion in revenue or greater) claiming to have this team or committee compared to 42% of smaller companies (under $1billion in revenue).

The departments most likely to have representation on the information security risk management team are:

  • IT – 90%
  • Risk Management/Insurance – 73%
  • General Counsel – 63%
  • Compliance – 55%
  • Internal Audit – 47%
  • Treasury or CFO’s Office – 40%
  • Chief Privacy Officer – 36%
  • Marketing – 10%
  • Investor Relations – 6%
  • Sales – 5%
  • 9% Didn’t Know
  • 15% said Other
  • The most common write-in responses under “Other” were Operations and Security

The IT department is still acknowledged as the front line defense against information losses and other cyber liability risks. In response to the question “Which department is PRIMARILY responsible for spearheading the information security risk management effort?”

  • 69% responded IT
  • 11% Risk Management/Insurance
  • 5% responded Other. The most common other being Information Security

Social Media

Social media provides businesses with an array of benefits such as increasing brand awareness, promoting products, and providing timely support. It also exposes organizations to a degree of risk, such as the potential for reputational damage, privacy issues, infringing other intellectual property, and data breaches.

“Does your organization have a written social media policy?”

  • 74% responded yes
  • 17% no

Cloud Services

For a third consecutive year respondents were asked questions on cloud services. Thanks to its cost effectiveness and increased storage capacity, cloud services have become a popular alternative to storing data in-house. Warehousing proprietary business information on a third-party server, however, makes some organizations uncomfortable due to the lack of control in securing the information. Nonetheless, security concerns continue to be outweighed by the benefits.

“Does your company use cloud services?

  • 66% responded yes, up from 55% last year, and 45% in 2012.

“Is the assessment of vulnerabilities from cloud services part of your data security risk management program?”

51% responded yes – consistent with last year

Mobile Devices

“Does your organization have a mobile device security policy?”

  • 74 % said yes
  • 15 % said no
  • 13 % did not know

Larger companies continue to be more likely to have such a policy with

  • 82 % of large companies ($1 billion or greater) responding yes
  • 62 % of smaller companies ($1 billion or less).

The use of personal handheld devices for business purposes is increasingly preferred by employees and allowed by employers. These non-company controlled devices, however, are accessing proprietary corporate information and frequently exposing organizations to a higher degree of risk.

“Does your organization have a bring your own device (BYOD) policy?”

  • 47% responded yes which is consistent with last year’s response.

The Role of Insurance in Information Security and Cyber Risk Management

The upward trend in the percentage of companies purchasing cyber liability insurance plateaued in 2014.

“Does your organization purchase cyber liability insurance?”

  • 52% responded yes
  • 35% said no
  • 13% did not know

Of the respondents who purchase coverage

  • 32% have purchased it for less than two years
  • 47% between three and five years
  • 22% for more than five years
  • The percentage of companies who buy coverage for loss of income due to a data breach dropped slightly from 54 % in 2013 to 48 % this year.

Finally, respondents that do not currently purchase cyber insurance were asked “Are you considering buying this coverage in the next year?” 54% said yes. This was only a one percentage point increase from 2013.

The full survey can be found here.

Cyber Data Breach – Is Your Business Ready?

NewAgencyPartners 2NewAgencyPartners

How retail companies describe their Cyber Liability exposures

In a recent Willis Report: “Some Fortune 1000 Retailers Remain Silent on Cyber Threats”, Willis explain how the Retail industry compares to the Fortune 1,000 companies in their approach to Cyber Liability.

When describing the extent of cyber risk

  • 57% of retail firms disclosed their cyber exposures as significant, serious, material or critical, according to the study
  • 9% of the firms did not disclose any risks related to cyber exposures

Willis describe the results as

surprising” given that the retail industry has been the target of many of the highest profile system breaches to date, resulting in some of the largest losses, the report said

Other key findings of the report include:-

The top three cyber risks identified by the retail sector of the Fortune 1000 include:

  1. 74% privacy/loss of confidential data
  2. 66% reputation risk
  3. 61% cyber liability

9% cyber risk at the hands of “outsource vendors” which Willis described as “surprising” given the level of outsourcing across the sector and the reliance on third-party technology partners

In detailing cyber risk remedies

  • 49% of the retail companies cited the use of technical safeguards — more than the Fortune 1000 as a whole (43%)
  • 17% of retail companies reported inadequate resources to limit cyber losses, a potential “cause for concern,” as technical protections may not be sufficient to contain the effects of some cyber or technology events, Willis said.

9% of the sector indicated they purchased insurance for cyber exposures.

In Willis’s view the actual rate of cyber insurance may be substantially higher based on additional Willis data obtained in collaboration with insurance underwriters. This places them below

  • The funds sector (33%)
  • Utilities (15%)
  • Banking and conglomerates tied at 14% each)
  • Tech/telco and insurance (11%)
  • The media industry (10%)

The increasing frequency of “point-of-sale” breaches and “do-not- class-action law suits are described as an evolving cyber exposure.

The full report can be found here.

More organisations opting to take out Cyber Insurance

In 2013 70% of organisations in a Marsh Insurance survey said they would buy Cyber Insurance compared to 78% in the 2014 survey.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: