Many companies still do not devote sufficient attention to cyber risks, despite an increase in frequency, scope, and sophistication – and harsher penalties for lack of regulatory compliance and loss of sensitive data. This finding comes from research conducted in association with the Federation of European Risk Management Associations (FERMA) by Harvard Business Review Analytic Services, corporate insurer Zurich and the public sector risk management organisation PRIMO.

FERMA board member Julia Graham who led FERMA's participation in the project said: "Too often I have seen well embedded principles and practices associated with risk management and risk financing discarded when the subjects of information security and specifically cyber security are considered." More than three-quarters (76%) of survey respondents said that information security and privacy had become more significant areas of concern in the past three years. A majority also indicated that board involvement is growing in their organisation.

"They must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance," the final report from HBR and Zurich concludes.

"Information security is a classic enterprise risk," comments Graham. "It is not solely a subject for the domain of the chief information officer or the chief information security officer."

In any case, only 16% of companies covered in the survey have designated a chief information security officer to oversee cyber risk and privacy, and less than half (49%) agree they have a strategy for communication to the general public in case of a cyber risk incident.

Just 19% of respondents have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy issues, and only 44% said their company's budget for these risks has grown.

The number of ways in which data can be lost, stolen, or misappropriated illustrates the prevalence of the threat. Respondents highlighted the following threats to the information security and confidentiality:

-Malware and other viruses
-Administrative errors
-Incidents caused by data providers
-Malicious employee activity
-Attacks on web applications
-Theft or loss of mobile devices
-Internal hacking

Regulation and compliance concerns appear to be driving much of organisations' planning around cyber risk. Survey respondents most frequently placed business income loss and the cost of restoring crucial proprietary electronic information among their top five concerns. The next three concerns all related to legal liability, and include legal defence and settlement costs from third party claims; costs of regulatory settlements; and costs of defending regulatory investigations.

Share Story: