Survey Assesses New Era in Cyber Risk
By Josh Bradford
NEW YORK–The vast majority of risk professionals acknowledge that information security and other cyber risks are at least a moderate threat to their organizations. Most say cyber exposures are the focus of specific risk management activities within their organizations. The level of sophistication in addressing these risks varies widely, although a growing number of organizations are adopting enterprisewide–or at least multidepartmental–approaches to information security and cyber risk management. However, only about one third of organizations purchase insurance as a part of their cyber risk management strategies.
Cyber-related risks traditionally have been regarded strictly as the domain of an organization’s information technology department. Many believed that the IT department would keep the organization secure because viral infections and data breaches by hackers were issues best addressed by protections such as firewalls and anti-virus software, which are IT solutions.
A growing number of organizations are realizing now that cyber security extends well beyond their IT departments. A wide range of issues, such as lost or stolen data, violation of privacy laws, intellectual property infringement and social media-related risks, constitute a much broader scope of cyber exposures. This is leading many organizations to recognize that relationships among risk management, IT and other departments are essential to defending against cyber-related threats and implementing comprehensive protection mechanisms to minimize risks.
To gain insight into the state of enterprisewide information security and cyber liability risk management, a survey was conducted to help create a framework for identifying and addressing cyber risks throughout an organization, in addition to collecting data on information security and cyber risk management. Invitations to participate in the survey were distributed by e-mail and were completed at least in part by 503 respondents.
Most respondents classified themselves as risk managers (58 percent), followed by risk management department professionals at 17.8 percent and enterprise risk managers at 8.7 percent. Respondents with more than 20 years of experience represented the largest group of respondents, followed by 11-20 years of experience, 6-10 years, and five or fewer years. A broad array of industries was represented, and the survey included businesses of all sizes, but was weighted toward larger companies.
Recognizing The Threat
The vast majority of respondents indicated they believed information security and other cyber-related exposures posed a threat to their organizations. In responding to a question about how they rated the potential dangers posed to their organizations by cyber and information security risks, 13.1 percent said extremely serious, 43.2 percent said serious, 29.7 percent said moderate, 12.4 percent said mild, and 1.6 percent said very mild. In total, 86.0 percent of respondents agree that cyber and information security risks pose at least a moderate danger to their organizations (Figure 1).
Information security and cyber liability have become important topics for organizations of all sizes across all industries. Smaller companies (revenue less than $250 million) view cyber risks only slightly less seriously than the largest companies (revenue greater than $10 billion), with 72 percent of smaller companies saying the risks pose at least a moderate danger compared with 77 percent of large companies.
Of the total respondents, 71.7 percent said information security risks were a specific risk management focus within their organizations. However, in the opinion of the survey respondents, the threat is viewed less seriously by key decision makers. When asked if they thought cyber risks were viewed by their organizations’ executive management as a significant threat, 45.3 percent said yes for their boards of directors and 57.9 percent said yes to their C-suite executives. This suggests that more communication may be necessary with upper management to educate them on the risks of cyber-related exposures.
On a scale of one to five, with five as a very high risk and one as a very low risk, “reputational damage to an organization as a result of a data breach” was the biggest concern of respondents, with 59.4 percent giving it rating of four or five. This was followed by an “electronic data breach” with 53.7 percent and “reputational damage to the organization via social media” with 49.3 percent.
In contrast, the exposures perceived to represent the lowest risks with a rating of one or two included “infringing on others’ intellectual property” with 46.7 percent, “business interruption (caused by) supplier and/or customer cyber disruptions” with 39.3 percent, and “employment practice risks (because of) using social media” at 33.6 percent (Figure 2).
Disaster Response Plans
Research shows that organizations that have comprehensive disaster response plans in place before a breach occurs fare much better after a major breach than those that do not. Of total respondents, 68.8 percent say that they have disaster response plans in place, while only 16.5 percent say that they do not and 14.7 percent do not know. The larger companies represent a bigger portion of the total, with 79 percent having a disaster response plan compared with only 55 percent of the smaller companies.
In the event of a data breach, the survey respondents indicate that their IT (41.6 percent) and general counsel (30.6 percent) departments have primary responsibility for assuring compliance with all applicable federal, state or local privacy laws, including state breach notification laws. The bigger the company, however, the more they say they rely on their general counsels, while smaller companies rely more on IT departments than general counsel.
The majority of survey respondents recognize that it is the responsibility of the entire organization to mitigate risks. When asked if their organizations had a multidepartmental information security risk management team or committee, 57.2 percent of those who responded said yes and 34 percent said no. The departments or functions that are most likely to be represented in the information security risk management team include IT at 95.9 percent, risk management/insurance at 78.1 percent, general counsel at 65.7 percent, internal audit at 55.0 percent, treasury or chief financial officer at 30.2 percent, investor relations at 10.7 percent, marketing at 10.1 percent, and sales at 8.9 percent.
Although many respondents recognized information security and cyber risk management as an enterprisewide responsibility, the IT department still was acknowledged as the frontline defense against information losses and other cyber liability risks. Of those who answered the question on which department was primarily responsible for spearheading their companies’ information security risk management efforts, 73.2 percent said it was the responsibility of the IT department.
As noted, nearly half of organizations consider reputational damage through social media a significant threat to their organizations. Of the companies surveyed, 63.6 percent had social media policies in place, 26.7 percent did not, and 9.7 percent did not know. The larger companies represented a bigger portion of those with social media policies.
Cyber Liability Insurance
Although information security and cyber risks were widely acknowledged as serious concerns by the survey respondents, 60.1 percent said their organizations had not purchased cyber liability insurance, compared with 35.1 percent who said their companies had bought cyber liability insurance. The larger organizations represent only a slightly higher percentage of those with cyber liability insurance than do smaller organizations.
According to the participant’s comments, some explanations for why companies do not purchase cyber liability insurance include investing in prevention rather than insurance, limited markets, broker disconnects, lack of coverage clarity, lack of information to make informed decisions, expense, application process difficulty, high deductibles, and limited policy coverage.
Of those who purchase coverage, 37.9 percent said they had purchased coverage for less than two years, 37.1 percent said between three and five years, and 25.0 percent said more than five years. This suggests the number of organizations that recognize the role insurance can play as part of an information security and cyber risk management program is increasing. In addition, among the companies that had not purchased cyber liability insurance, 24.3 percent said they were considering buying coverage within the next year.
The vast majority of organizations view information security and other cyber risks as at least a moderate threat. Larger organizations view the risk as only slightly more important than their smaller counterparts, but as a whole, they tend to be more involved in enterprisewide risk management.
More than two-thirds of respondents claim that information security risks are a specific risk management focus within their organizations. Organizations increasingly have implemented, or are in the process of implementing, organizationwide information security approaches. Most have some form of multidepartmental information security and cyber risk team or committee. For most, the IT department plays a leadership role in the information security and cyber risk management process, but other departments also play significant roles in a majority of the companies that have multidepartmental teams or committees.
More than two-thirds of respondents say their organizations have disaster response plans in place in the event of a major breach. For 41 percent of respondents, the role of the IT department includes fulfilling data breach notification laws. This may represent a significant deficiency in emergency response planning. The IT department often is ill-equipped to interpret the notification requirements of dozens of states and to marshal the resources necessary to fulfill the requirements of each state following a major breach.
While most companies have implemented information security and cyber risk management programs, the majority of these organizations do not incorporate cyber insurance as part of their overall strategies. However, the growing interest in this coverage is apparent in the increased number of companies that have purchased protection in recent years or are planning to buy coverage in the near future.
JOSH BRADFORD is an associate editor at Advisen, where he is responsible for researching, writing and editing topical reports and white papers. Bradford is also responsible for creating, administering and analyzing topical and marketing surveys for Advisen and its clients. The company provides information and analytical services to commercial insurers, insurance brokers, underwriters, corporate risk management departments, law firms and other organizations. Prior to his current position at Advisen, he was a producer at a commercial property & casualty insurance brokerage. Bradford began his career with a sports marketing firm.