• this study, sponsored by Zurich, surveys enterprise-wide cyber risk management practices over a one-week period of 503 respondents (risk professionals and insurance buyers) in the following sectors:
  • health care providers and services - 12.9%;
  • others/not listed - 7.9%;
  • government/local - 5.9%;
  • education/post-secondary - 4.8%; and
  • finance, banks, commercial - 4.6%.

Relevance to Business Activities:

• security - administrative safeguards considerations:
  • attitude towards information security and cyber risks:
    • how would the respondent rate the potential dangers posed to their organization by cyber and information security risks:
      • extremely serious - 13.1%;
      • serious - 43.2%;
      • moderate - 29.7%;
      • mild - 12.4%; and
      • very mild - 1.6%.
    • size of company:
      • smaller companies (revenue less than $250 million) - 72% say the risks pose at least a moderate danger;
      • larger companies (revenue greater than $10 billion) - 77% say the risks pose at least a moderate danger.
    • of the total respondents:
      • 71.7% said that information security risks are a specific risk management focus within their organization.
    • in the respondent's experience, are cyber risks viewed as a significant threat to their organization:
      • by the following groups:
        • yes to board of directors - 45.3%; and
        • yes to C-suite executives - 57.9%. 
      • these results suggest that more communication may be necessary with upper level management to educate them on the risks of cyber-related exposures.
    • on a scale of 1 (very low risk) to 5 (very high risk) from the perspective of the respondent's organization, the following was ranked:
      • reputational damage to the organization resulting from a data error - 59.4% gave it a rating of 4 or 5;
      • electronic data breach of customer records - 53.7% gave it a rating of 4 or 5;
      • reputational damage to the organization via social media - 49.3% gave it a rating of 4 or 5;
      • infringing others' intellectual property - 46.7% gave it a rating of 1 or 2;
      • business interruption due to supplier and/or customer cyber disruptions - 39.3% gave it a rating of 1 or 2; and
      • employment risks due to use of social media - 33.6% gave it a rating of 1 or 2.
  • information security and cyber risk management focus:
    • does the organization have a multi-departmental information security risk management team or committee:
      • yes - 57.2%;
      • no - 34%.
    • which departments are represented on the cyber risk management team:
      • IT - 95.9%:
        • this may represent a significant deficiency in emergency response planning - the IT department is often ill-equipped to:
          • interpret the notification requirements of dozens of states; and
          • marshal the resources necessary to fulfill the requirements of each state following a major breach.
      • risk management/insurance - 78.1%;
      • general counsel - 65.7%;
      • internal audit - 55%;
      • treasury or CFO - 30.2%;
      • other - 23.1%;
      • investor relations - 10.7%;
      • marketing - 10.1%;
      • sales - 8.9%; and
      • did not know - 3%.
  • the role of insurance in information security and cyber risk management:
    • does the organization buy cyber liability insurance:
      • yes - 35.1%;
      • no - 60.1%.
    • size of company:
      • larger companies (revenue of $1 billion or more) - 36%;
      • smaller companies (revenue of less than $1 billion) - 34%.
    • some respondent explanations for why companies do not purchase cyber liability insurance:
      • investment in prevention rather than insurance;
      • limited markets;
      • broker disconnects;
      • lack of coverage clarity;
      • lack of information to make informed decisions;
      • too expensive;
      • application process too difficult;
      • deductibles are too high;
      • difficult to qualify; and
      • policy coverage is too limited.
    • those that have purchased coverage:
      • coverage purchased for less than 2 years - 37.9%;
      • 3-5 years - 37.1%; and
      • over 5 years - 25%.
    • is the respondent's organization considering buying this coverage in the next year:
      • yes - 24.3%;
      • no - 52%; and
      • do not know - 23.6%.

• use of social networks considerations:
  • information security and cyber risk management focus:
    • does the organization have social media policies in place:
      • yes - 63.6%;
      • no - 26.7%; and
      • do not know - 9.7%.
    • size of company:
      • larger companies - 71%;
      • smaller companies - 54%.

• breach response considerations:
  • disaster response:
    • does the organization have a breach response plan:
      • yes - 68.8%;
      • no - 16.5%; and
      • do not know - 14.7%.
    • size of company:
      • larger companies (revenue greater than $1 billion) - 79% have a disaster response plan;
      • smaller companies (revenue under $1 billion) - 55% have a disaster response plan.
    • in the event of a data breach, which department in the organization is primarily responsible for assuring with all applicable federal, state or local privacy laws including state breach notification laws:
      • information technology ("IT") - 41.6%;
      • general counsel - 30.6%;
      • other - 13.3%;
      • risk management/insurance - 9.6%;
      • do not know - 3.7%;
      • none - 0.7%; and
      • customer service - 0.2%.
    • size of company:
      • larger companies (revenue greater than $5 billion):
        • general counsel - 36%;
        • IT - 26%.
      • smaller companies (revenue under $5 billion):
        • general counsel - 23%;
        • IT - 40%.

Source Document:

http://cdn.theatlantic.com/static/front/docs/sponsored/zurich-risk/
ANewEraInInformationSecurityandCyberLiabilityRiskManagement_Zurich.pdf