“Many companies still do not devote sufficient attention to cyber risks, despite an increase in frequency, scope, and sophistication – and harsher penalties for lack of regulatory compliance and loss of sensitive data.” That’s the conclusion from research conducted in association with the Federation of European Risk Management Associations (FERMA) by Harvard Business Review (HBR) Analytic Services, corporate insurer Zurich and the public sector risk management organization PRIMO.
FERMA board member Julia Graham, who led FERMA’s participation in the project, pointed out: “Too often I have seen well embedded principles and practices associated with risk management and risk financing discarded when the subjects of information security and specifically cyber security are considered.”
FERMA noted that “more than three-quarters (76 percent) of survey respondents said that information security and privacy had become more significant areas of concern in the past three years. A majority also indicated that board involvement is growing in their organization.”
However, the final report from HBR and Zurich concludes that they “must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance.”
Graham explained: “Information security is a classic enterprise risk. It is not solely a subject for the domain of the chief information officer or the chief information security officer.”
Moreover the report notes that “only 16 percent of companies covered in the survey have designated a chief information security officer to oversee cyber risk and privacy, and less than half (49 percent) agree they have a strategy for communication to the general public in case of a cyber-risk incident.
“Just 19 percent of respondents have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy issues, and only 44 percent said their company’s budget for these risks has grown.”
The sheer number of ways in which data can be lost, stolen, or misappropriated illustrates the prevalence of the threat. Respondents highlighted the following threats to the information security and confidentiality:
1) malware and other viruses
2) administrative errors
3) incidents caused by data providers
4) malicious employee activity
5) attacks on web applications
6) theft or loss of mobile devices
7) internal hackers
Regulation and compliance concerns appear to be driving much of organizations’ planning around cyber risk. Survey respondents most frequently placed business income loss and the cost of restoring crucial proprietary electronic information among their top five concerns. The next three concerns all related to legal liability:
– Legal defense and settlement costs from third party claims
– Costs of regulatory settlements
– Costs of defending regulatory investigations.
FERMA noted that it will focus on the cyber risk issue at a session during its 2013 Risk Management Forum in Maastricht starting on September 29.