We contributed to this relevant survey to get a better scope of and insight in what is actually going on within organizations regarding cyber related risks. We know from our members that cyber related risks seem to be under-estimated. The risks can hardly be quantified and measured. They seem a bit of far away, like the Misty Mountains.
On the other hand there are many smaller cyber incidents and more and more larger ‘accidents’ occur. Some on enterprise level, some hardly noticed by management. So they are actually not so far away. It is still a litte bit of unknown territory, which in our view should be discovered as soon as possible, before large accidents can happen. In the Global Risk Report 2013 is expressed that a majority of the CEO’s fears a cyber-attack on their organization or relevant infrastructure. Well, time to focus on this, we think. Therefor our swift and positive cooperation on this survey.
The participation in this research we think is a major first step to share our knowledge and experiences as well as to create a common awareness of the true problem. We know by heart that underestimating something is a risk on its own. We have to meet the cyber risk challenge before us.
Many companies and governments still do not devote sufficient attention to cyber risks, despite an increase in frequency, scope, and sophistication – and harsher penalties for lack of regulatory compliance and loss of sensitive data.
This finding comes from research conducted in association with the Federation of European Risk Management Associations (FERMA) by Harvard Business Review Analytic Services, corporate insurer Zurich.
The enormous expansion in the availability of information presents opportunities and challenges for business and government. Keeping their own data secure is a major task for organizations that face threats from competitors and others who may find their proprietary information too tempting not to try to steal.
At the same time, tightening laws and regulations and the demands of customers, citizens, suppliers, their own employees, and others with whom they interact make it imperative that they carefully control access to data about those outside parties. Accordingly, more than three out of four respondents to a recent Harvard Business Review Analytic Services survey sponsored by Zurich said information security and privacy have become more significant areas of concern in the past three years.
- Cyber risk comes in a bewildering variety of forms. More than one in four survey respondents mentioned each of the following as being among the most serious information security concerns for their organizations: malware and other viruses, administrative errors, incidents caused by data providers, malicious employee activity, attacks on Web applications, theft or loss of mobile devices, and internal hackers.
- Concerns about regulation and compliance appear to be driving much of organizations’ planning around cyber risk. While survey respondents most frequently placed business income loss and the cost to restore crucial proprietary electronic information among their top five concerns, the next three were all related to legal liability: legal defense and settlement costs from third-party claims, costs to comply with regulatory settlements, and costs to defend against regulatory investigations.
- Top executives often tend to regard themselves as doing a great job controlling cyber risk. But too often, responsibility remains concentrated with the chief information officer (CIO) or head of technology. Only 16.3 percent of companies have designated a chief information security officer to oversee cyber risk and privacy, according to the survey.
- In fact, bringing together all of the organization’s stakeholders in cyber security is key to designing an effective process for forestalling cyber risk and responding when an event occurs. During a November 2012 Harvard Business Review webinar, Julia Graham, FERMA board member and chief risk officer (CRO) of DLA Piper, noted that aside from the CIO or the IT department, cyber security is also the business of the human resources manager, for example, in managing confidentiality agreements in people’s contacts.
- Organizations’ success at creating organization-wide plans to address cyber risk is mixed, however. Almost two-thirds of survey respondents said their organization has formally assigned roles and responsibilities to key individuals as part of an incident response plan. But less than half said they have a strategy for communication to the general public in case of a cyber risk incident.
- Three out of four organizations, however, have introduced new IT infrastructure, and more than two of three now regularly update their antivirus software, while a similar proportion have introduced secure configurations for network devices such as firewalls, routers, and switches. But a sizable minority— more than 20 percent—say their company’s budget for activities to maintain information security and privacy is inadequate, while nearly 10 percent said they don’t know whether it is or not.
- The solutions need not be highly complex. Much can be accomplished simply by regularly training and educating employees and taking commonsense measures such as not letting sensitive information be copied onto unencrypted memory sticks. This is especially the case in an age when much work is done on mobile devices and by employees working offsite.
- Communication, then, is key. Avoid technospeak, and bring in highly credible outside experts to deliver the message to the board.
- Traditional insurance policies, like commercial general liability insurance, do not cover cyber crime and security and information risks. Yet few organizations—less than 20 percent, according to survey respondents—have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy-related issues. More than 60 percent said their company has no plans at all to purchase coverage.
“Less than one in five organisations (19%) have insurance specifically designed to cover against cyber attacks, despite the fact that over three-quarters (76%) have become more concerned about information security and privacy over the past three years.
Research undertaken by Zurich in association with Ferma and PRIMO also revealed that just 16% of companies have a designated chief information security officer to oversee cyber risk and fewer than half (44%) have increased their budget to tackle the problem.
Respondents to the survey highlighted malicious employee activity as one of the most serious information security concerns, however, just one-third (36%) said their organisation provides information security and risk training for employees and less than half (46%) said the training occurs either annually or biannually.
The research suggested regulation and compliance concerns appear to be driving much of organisations’ planning around cyber risk, after three of the top five concerns surrounded legal liability.
Zurich chief risk officer for general insurance Steve Wilson said: “Cyber risk comes in a bewildering variety of forms for organisations and we hope this research will provide risk managers with important insights into this critical issue.
“As the survey shows, it is essential that organisations do not fall into the trap of a top-down approach, taking a holistic approach which engages all employees to meeting this challenge.”
FERMA board member Julia Graham who led FERMA’s participation in the project said: “Too often I have seen well embedded principles and practices associated with risk management and risk financing discarded when the subjects of information security and specifically cyber security are considered.” More than three-quarters (76%) of survey respondents said that information security and privacy had become more significant areas of concern in the past three years. A majority also indicated that board involvement is growing in their organisation.
“They must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance,” the final report from HBR and Zurich concludes.
“Information security is a classic enterprise risk,” commented Julia Graham. “It is not solely a subject for the domain of the chief information officer or the chief information security officer.”
In any case, only 16% of companies covered in the survey have designated a chief information security officer to oversee cyber risk and privacy, and less than half (49%) agree they have a strategy for communication to the general public in case of a cyber risk incident.
Just 19% of respondents have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy issues, and only 44% said their company’s budget for these risks has grown.
The sheer number of ways in which data can be lost, stolen, or misappropriated illustrates the prevalence of the threat. Respondents highlighted the following threats to the information security and confidentiality:
- malware and other viruses
- administrative errors
- incidents caused by data providers
- malicious employee activity
- attacks on web applications
- theft or loss of mobile devices
- internal hackers
Regulation and compliance concerns appear to be driving much of organisations’ planning around cyber risk. Survey respondents most frequently placed business income loss and the cost of restoring crucial proprietary electronic information among their top five concerns. The next three concerns all related to legal liability:
- Legal defence and settlement costs from third party claims
- Costs of regulatory settlements
- Costs of defending regulatory investigations.