Nov 21, 2016

Awareness of cyber-security threat and risk management increasing, survey says

By Debbie Miller

Industries that collect personal data further ahead in responding to cyber-risks

As cyber-security threats continue to increase and perpetrators get past traditional cyber-security approaches, companies need more advanced preparation to mitigate potential breaches and their impacts.

In 2016 Advisen and Zurich North America surveyed 345 risk managers, insurance buyers and other risk professionals about business strategies in information security and cyber-risk management in a variety of industries. Information security and cyber-risk management is their sixth annual report on trends in information security and cyber-risk management.

Key findings include:

  • Eighty-seven percent of survey respondents believe a technological interruption would have a moderate-to-significant impact on their business
  • During the six years the survey has been conducted, the proportion of companies buying security and privacy cyber-insurance has increased by 85 percent, from 35 percent in 2011 to 65 percent in 2016
  • Costs related to a breach of customer/personal information are the main reason companies buy cyber-insurance
  • Ninety-seven percent of respondents recognize the importance of risk management and IT departments collaborating on cyber-security issues.

In the past six years the survey has been conducted, there has been a change in risk professional, executive and board member attitudes toward cyber-risk. While companies once believed data breaches to be unlikely, they now view their occurrence as the new normal.

Further, while cyber-risk used to be seen as solely an IT issue, it is now seen more as an issue for many of an organization’s departments, bringing a company-wide ‘multi-department risk-management focus’ to cyber-security. The study finds that about 60 percent of pre-breach services are provided by IT, risk management, HR and legal departments working together.

Industries that collect personal data – healthcare, communications, financial & banking and retail – seem to be further along in understanding cyber-risk and have more regulatory oversight than companies that do not collect personal data; they report that ‘reputation damage due to privacy violation/loss of customer records’ is a top concern.  

Additionally, organizations that collect personal data are more likely to look for assistance outside the company. And despite concern about employees unintentionally infecting a company’s network with malware, about 21 percent of respondents say they don’t have an employee education program in place.