Ferma-backed study finds cyber risk still not being properly managed
The survey finds that only 16% of companies have designated a chief information security officer to oversee cyber risk and fewer than half (44%) have increased their budget to tackle the problem. Less than half (49%) say they have a strategy for communication to the general public in case of a cyber risk incident.
According to the study conducted in association with Ferma by Harvard Business Review Analytic Services, Zurich and the public sector risk management organisation PRIMO, as few as 19% of companies have purchased insurance specifically designed to cover their security exposures.
Ferma said these findings suggest a lack of appetite to fully risk manage cyber risk despite an increase in frequency, scope, and sophistication of attacks and harsher penalties for lack of regulatory compliance and loss of sensitive data.
hide
Ferma board member Julia Graham, who led the federation’s participation in the project, said: “Too often I have seen well embedded principles and practices associated with risk management and risk financing discarded when the subjects of information security and specifically cyber security are considered.”
“Information security is a classic enterprise risk,” commented Ms Graham. Despite the fact that relatively few companies say they employ a specific chief information or chief security officer, the management of this risk should not solely be left to such an individual, she added.
The survey concludes that ‘organisations must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance’.
Respondents to the survey rated malware and other viruses as being the most serious information security concern for their organisations.
This was followed in order of severity by administrative errors, incidents caused by data providers, malicious employee activity, attacks on web applications, theft or loss of mobile devices and then internal hackers.
Despite malicious employee activity being one of the most serious concerns, only a third (36%) of respondents said their organisation conducts information security and risk training at enterprise level for all employees. Less than half (46%) said the training occurs either annually or biannually.
Regulation and compliance concerns appear to be driving much of organisations’ planning around cyber risk. While survey respondents most frequently placed business income loss and the cost to restore crucial proprietary electronic information among their top five concerns, the next three concerns were all related to legal liability.
They were legal defence and settlement costs from third party claims, costs to comply with regulatory settlements and costs to defend against regulatory investigations.
Steve Wilson, Chief Risk Officer for General Insurance, Zurich Insurance Group commented: “The enormous expansion in the availability of information presents unprecedented opportunities and challenges for business and government. As well as regulatory responsibilities to protect proprietary information, organisations have a duty of care to ensure their measures are robust. Furthermore, companies are exposed to the risk of a significant decline in stock price compared with industry peers following a cyber security breach as a result of the negative reputation impact.”
And he added: “Cyber risk comes in a bewildering variety of forms for organisations and we hope this research will provide risk managers with important insights into this critical issue. As the survey shows, it is essential that organisations do not fall into the trap of a top-down approach, taking a holistic approach which engages all employees to meeting this challenge.”
The findings of the Meeting the Cyber Risk Challenge Report are based on a web-based survey of over 152 respondents involved in risk management.