Cyber security is clearly on the minds of business executives, most of whom acknowledge their firms have been victimized by some sort of cyber attack. What are they thinking about cyber security, cyber liability and cyber insurance?
Below are summaries of five recent reports on cyber security in business and what businesses are dong to protect themselves. They are from Veracode/NYSE, Wells Fargo Insurance, Hartford Steam Boiler, Marsh and Disaster Recovery Institute International, and Georgia Tech Information Security Center.
NYSE and Veracode
Cyber security firm Veracode issued findings from a joint New York Stock Exchange Governance Services/Veracode survey of 276 board members revealing how cyber-related corporate liability is being prioritized in the boardroom. Nine out of 10 of those surveyed believe regulators such as the Federal Trade Commission (FTC) should hold businesses liable for cyber breaches if due care has not been followed, and more than 50 percent expect investors to demand more transparency as a result of the increased public focus on cyber liability.
Three out of five respondents foresee an increase in shareholder lawsuits as a result of heightened corporate liability due to cyber security issues. Nearly 50 percent who knew of the FTC’s lawsuit against a major hotel chain said the case has influenced their executive discussions on cyber liability. In the case, a Federal Appeals Court recently ruled that the FTC can pursue the defendant for failing to employ reasonable data security measures, such as using vulnerable out-of-date software.
Further, 90 percent of respondents feel third-party software providers should bear legal liability when vulnerabilities are found in their packaged software.
While 94 percent of respondents have increased or are planning to increase their security assessments to address liability concerns, two-thirds of respondents say they have also begun or are planning to insert liability clauses into contracts with their third-party providers. Respondents also mentioned hiring outside consultants as well as ramping up security training. Many are also increasing audit committee and board-level oversight – a strategy that’s in line with expert recommendations to report on the businesses cyber security measures to the audit committee quarterly,and to the full board on a regular basis.
A majority of companies now have cyber security insurance—a market set to triple to about $7.5 billion in the next five years—mainly to mitigate financial losses brought forth by liability claims. Of those with insurance, 35 percent currently insure against software coding and human errors that can lead to loss of sensitive data.
While insurance is an important mitigation step to mitigate cyber risk, it is insufficient on its own to protect against the full impact of a breach including brand damage and loss in shareholder value.
“Just as the evolution of fire insurance drove the creation and enforcement of minimum standards in the way buildings are constructed and protected, cyber liability insurance is set to soon create a new baseline for cyber security best practices,” said Sam King, chief strategy officer, Veracode.
The NYSE-Veracode “Cybersecurity and Corporate Liability: The Board’s View” survey was conducted electronically over the course of four weeks in September and October 2015. All of the 276 respondents are board directors or senior executives of public companies.
Wells Fargo Insurance
In a study of 100 U.S. middle market companies and large corporations, 85 percent said they have purchased cyber security and data privacy insurance coverage to protect against financial loss, while nearly half (44 percent) have already filed an insurance claim as a result of a breach.
However, while more companies are purchasing cyber security and data privacy insurance, some gaps still remain in incident response plans, making those companies vulnerable to the financial consequences of a data privacy incident, according to the study, commissioned by Wells Fargo Insurance’s Technology, Privacy and Network Risk Practice.
Examining middle market companies and large corporations with $100 million or more in annual revenue, the study measured the companies’ current levels of readiness to respond to a cyber security or data privacy incident, perceptions of their own security and network vulnerabilities, and challenges faced when purchasing coverage.
“While companies recognize the need for cyber security and data privacy insurance, purchasing coverage is not a complete solution. It’s also important to recognize that other factors, including testing incident response plans, employee awareness training, and following established privacy policies, are all critical components of an overall risk management program,” said Dena Cusick, national practice leader with Wells Fargo Insurance’s Technology, Privacy and Network Risk National Practice.
Not surprisingly, the most common reasons given for purchasing this specialized coverage were to protect the business against financial loss (78 percent), protect shareholders (64 percent), and help prepare for data privacy events (61percent). Of those that filed an insurance claim, 96 percent reported they were satisfied with their coverage, how the claim was handled, and that their policy had enough coverage for expenses and damages.
For almost half of the companies that have cyber and data privacy insurance, the biggest challenges they faced when purchasing the coverage was finding a policy to adequately fit their company’s needs (47 percent) or the cost (42 percent).
Hartford Steam Boiler
Nearly 70 percent of businesses say they’ve experienced one or more hacking events in the last year, but 55 percent aren’t confident that they’re dedicating enough dollars or personnel to fight the evolving problem, according to a study of risk managers from technology and data security insurer Hartford Steam Boiler. The study was conducted at the Risk and Insurance Management Society Conference (RIMS) in New Orleans on April 27, 2015.
As well, 46 percent of respondents say their business either purchased cyber insurance for the first time or increased their level of coverage in the last year. But 36 percent of businesses don’t have any level of coverage. Of note: 32 percent said they’re most interested in using intrusion detection/penetration testing to fight cyber risks. About 25 percent say they want to use employee education programs, and 25 percent chose encryption.
This study involved large, mid-sized and small companies, though 63 percent were large enterprises. Industries reflected in the study include manufacturing/industrial, retail, financial services, government/military, medical/healthcare and education.
Marsh/Disaster Recovery Institute International
Businesses consider cyber and IT-related risks the most likely to happen and have the largest impact on their operations, according to Marsh and the Disaster Recovery Institute International’s “2015 International Business Resiliency Survey.” The survey elicited responses from nearly 200 C-level executives, risk professionals and business continuity managers from large and medium-sized corporations around the world.
Seventy-nine percent of respondents said that reputational damage from a sensitive data breach were most likely and would have the biggest impact. About 58 percent said that online services being unavailable because of a cyber attack would have the biggest impact, and 77 percent said that such an incident was most likely.
At the same time, CEOs may overestimate the levels of protections they have for these likely and high-impact risks. Consider: 28 percent said they have dedicated insurance coverage against cyber attacks, and 21 percent said they have dedicated insurance coverage for reputational damage after a data breach.
Georgia Tech Information Security Center
A new global study from the Georgia Tech Information Security Center (supported by Forbes, the Financial Services Roundtable and Palo Alto Networks), offers some hope in the ongoing challenges businesses face in responding to cyber threats.
In their poll of board directors and executives from Forbes Global 2000 companies, they found that 63 percent of respondents are actively addressing computer and information security. That’s up from just 33 percent in 2012.
They also found that 53 percent of boards established a risk committee – separate from the audit committee – to handle cyber risk issues. This compares to 8 percent in 2008.
Also, 48 percent of respondents said their boards are focusing on cyber insurance, up from 28 percent in 2012. As well, 59 percent of respondents said their board had a director with risk expertise, with 23 percent saying they had one with cyber security expertise.
Sources: Wells Fargo Insurance, Veracode/NYSE, Hartford Steam Boiler, Marsh, Disaster Recovery Institute International, Georgia Tech Information Security Center
Mark Hollmer, CarrierManagement.com editor, contributed to this report.
Was this article valuable?
Here are more articles you may enjoy.