Despite the spate of high-profile data breaches over the past six months, a recent study by Advisen and Zurich suggests that companies are still reluctant to acknowledge and/or address the significant risk posed by cyber and privacy breaches — particularly smaller companies.
This past month, Advisen issued the Zurich-sponsored study A New Era In Information Security and Cyber Liability Risk Management, which surveyed 503 companies of varying sizes from a broad spectrum of industries. Of those surveyed, 86% acknowledged that cyber risks pose a “moderate” threat to their companies. Only 13.1% believe that the treat is “extremely serious.” The study suggests, however, that larger companies view the risk more seriously than smaller companies. 97.2% of larger companies(revenue in excess of $10 billion) acknowledged at least a moderate threat compared to 79.3% of smaller companies(revenue less that $250 million).
The potential damage a cyber or privacy breach may have on a company’s reputation was the biggest concern for most of the respondents, followed by an electronic data breach of customer records. Companies were less concerned about intellectual property infringement, business interruption due to cyber disruptions and employment practices concerns associated with social media.
The respondents also reported that concern over cyber risks still has not fully infiltrated the upper management agenda. Only 45.3% believe that cyber and privacy risks are viewed as a significant threat by their board of directors and only 57.9% believe they are a concern for their C-suite executives. It is worth noting, however, that the survey was conducted before the SEC issued its guidance requiring companies to report cyber risks. The SEC’s recent advice should prompt boards of directors and C-suite executives to focus more closely on cyber and privacy risks.
As we previously reported, Ponemon’s 2010 U.S. Costs of a Data Breach study suggests that companies that respond quickly with a knee-jerk reaction to data breaches ultimately pay more. A more methodical approach can help to lower the costs associated with a cyber or privacy breach. Although an ounce of prevention seems to be worth a pound of cure, only 68.8% of the respondents in the Advisen study indicated that their companies have taken the time to develop a disaster response plan. In this regard, a notable difference could be seen between larger and smaller companies — 79% of the larger companies participating in the survey had disaster plans in place compared to only 55% of the smaller companies.
The larger companies also seem to place greater emphasis on the legal aspect of cyber risks and privacy breaches. 36% of the larger companies indicated that their General Counsel’s office is primarily responsible for assuring compliance with privacy laws, while 26% of the larger companies rely primarily on their IT departments. Smaller companies were just the opposite. 40% of the smaller companies rely on their IT departments, while 23% rely on their General Counsel.
Despite the fact that 86% of the companies surveyed believe that cyber and privacy risks pose at least a moderate risk, only 35.1% buy cyber insurance. And, of those that do not currently have cyber insurance, only 24.3% indicated that they plan to purchase cyber coverage in the next year. Their reasons for not purchasing cyber insurance include: lack of coverage clarity; difficult to quantify; lack of information necessary to make an informed decision; and limited markets.
This recent report suggests that although companies are paying more attention to cyber and privacy risks, a learning curve still remains — particularly with regard to smaller companies. Not only are smaller companies less concerned with the risks, they still tend to view cyber and privacy risks as an IT issue. However, the ever changing legal landscape and the increasing reporting duties imposed on companies necessitates legal advice and action. Cyber security and a company’s response to an attack or breach should no longer be left solely to the IT department.
The study also suggests that companies still do not fully understand the nature and scope of cyber insurance policies and that risk managers are finding it difficult to justify the additional expenditure. However, continued breaches and attacks, coupled with the SEC’s guidance which specifically states that it may be appropriate to disclose relevant insurance coverage for cyber risks may make it easier for risk managers to “sell” cyber insurance to management.