Historians may look at the year 2013 as a “cyber tipping-point” — the point at which businesses and governments finally realized the severity of the threats they were facing, according to Advisen, a New York-based commercial insurance research and data analytics firm.
Advisen said exposures such as operational disruptions caused by denial of service attacks, lost or stolen data, violation of privacy laws and intellectual property infringement have long been a concern of larger companies. But this year, smaller businesses began to increasingly realize that they were also at risk.
Consequently, the research firm said, information security risks became a risk management focus of more organizations — and insurance cemented itself as a part of the cyber risk management strategy for a majority of organizations surveyed by Advisen.
Advisen’s newly released annual survey on information security and cyber liability risk management found that, similar to previous years, the vast majority of respondents (89 percent) believe that cyber and information security risks pose “at least a moderate threat” to their organization. Additionally, 54 percent said their organization’s board of directors views cyber risk as a significant threat to their organization, while 64 percent said their C-suite executives view cyber risk as a significant threat.
Advisen said this year’s survey had participation from 329 respondents, with 47 percent classifying themselves as chief risk mangers and an additional 39 percent classifying themselves as members of risk management departments. Businesses from an array of industries are represented, with healthcare accounting for the largest industry sector, followed by government and nonprofit, industrials, professional services, consumer discretionary and utilities. The survey was weighted towards larger companies, with 57 percent of respondent companies having revenues in excess of $1 billion.
Smaller Firms No Longer Overlooked by Cyber-Criminals
Advisen said small and mid-size businesses can no longer assume they will be overlooked as potential targets by cyber-criminals. In fact, smaller companies are increasingly being targeted because they often have less sophisticated security and, in some cases, can act as a conduit to larger companies.
Advisen found that while the smallest companies (revenues less than $250 million) had previously viewed cyber risk less seriously than their largest counterparts (revenue greater than $10 billion), this gap is closing.
This year’s survey found that in response to a key question — “How would you rate the potential dangers posed to your organization by cyber and information security risks?” — 91 percent of smallest companies said they believe the risks pose at least a moderate danger. This is a 9 percentage point increase from last year. At the other end of the scale, 97 percent of the largest companies said they believe cyber risks pose at least a moderate danger, which was consistent with last year’s figure.
Advisen also found in its survey that most organizations recognize the importance of having a data breach response plan. When respondents were asked “Does your organization have a data breach response plan in place in the event of a data breach?” more than 70 percent responded yes and 10 percent said no, while 18 percent said they did not know.
Advisen said research suggests that when a breach occurs, organizations that have implemented data breach response plans prior to the breach fare much better than those that have not.
A Risk Management Focus
Information security risks are increasingly becoming a risk management focus. Eighty percent said yes while 18 percent responded no when asked if information security risks are a specific risk management focus within their organization.
The survey also said 56 percent of organizations have a multi-departmental information security risk management team or committee. The departments or functions that are most likely to have representation in such teams include IT, risk management/insurance, general counsel’s office, compliance, internal audit, treasury or CFOs office and chief privacy officer.
Advisen said small and mid-size businesses also are increasingly concerned with exposures from mobile devices and employee use of personal devices. Advisen noted that cloud computing is gaining in popularity as businesses increasingly perceive the value of storing data in the cloud as outweighing the risks. The percentage of organizations that examine the vulnerabilities from cloud services as part of their data security risk management program has also increased.
In this survey, 52 percent of the respondents said their organization purchases cyber liability insurance. (Advisen’s broader research using data base of purchases of different insurance coverages suggests the cyber liability insurance purchase rate can range from less than 10 percent among small companies with less than $100 million in revenues to up to around 20 percent in average among larger corporations. There is also a wide disparity among different industries.)
“The resounding theme of this year’s survey is the increasing concern of small and mid-size businesses over an ever expanding list of information security risks,” Advisen stated.
“The gap in the threat perception between the largest and smallest companies is shrinking while the percentage of companies purchasing cyber insurance is substantially increasing. Is this a coincidence or a correlation? Only time will tell but there is clearly an evolving risk landscape along with varying strategies for risk mitigation.”