IT Still Largely Responsible For Cyber Risk, Study Finds

NU Online News Service, Oct. 18, 1:09 p.m. EDT

Although information security and cyber-risk management is recognized as an enterprise-wide responsibility by many organizations, the information technology (IT) department still is seen as the front-line defense against information losses and other cyber-liability risks, according to an industry survey.

More than two-thirds of respondents say their organizations have a disaster-response plan in place in the event of a major breach. For 41 percent of respondents, the role of the IT department includes fulfilling state data breach notification laws following a breach.

The survey concludes that this may represent “a significant deficiency in emergency-response planning,” noting that the IT department often is not equipped to interpret notification requirements of dozens of states and to marshal the resources necessary to fulfill the requirements of each state following a major breach.

Sponsored by Zurich and administered by Advisen Ltd., the survey, “A New Era In Information Security and Cyber Liability Risk Management,” was conducted for one week, beginning Sept. 26, 2011 and ending Oct. 3, 2011.

The survey was designed to create a framework for identifying and addressing cyber risks throughout an organization and was completed, at least in part by 503 respondents.

The majority of survey respondents recognize the entire organization is responsible for mitigating these risks. When asked, “Does your organization have a multi-departmental information security risk management team or committee?” 57.2 percent respond yes and 34 percent say no.

The departments or functions most likely to have representation in the information security risk management team are IT with 95.9 percent, risk management/insurance 78.1 per­cent, general counsel 65.7 percent, internal audit 55 percent, treasury or chief financial officer 30.2 percent, other 23.1 percent, investor relations 10.7 percent, marketing 10.1 percent, sales 8.9 percent and 3 percent say they did not know.

Of those who answered the question “Which department is primarily responsible for spearheading the information security risk management effort?” 73.2 percent see it as the responsibility of the IT department, followed by 13.2 percent who say it is the risk management/insurance department’s responsibility.

A total of 86.0 percent of respondents agree that cyber and information security risks pose at least a moderate danger to their organization, according to the survey.

Smaller companies (with revenue less than $250 million) view cyber risks less seriously than the largest companies (revenue greater than $10 billion), with 79.3 percent of smaller companies saying the risks pose at least a moder­ate danger compared to 97.2 percent of large companies.

Of the total respondents, 71.7 percent say information security risks are a specific risk-management focus within their organization. In the opinion of the survey respondents, however, the threat is viewed less seriously by key decision-makers.

This suggests that more education may be necessary with upper level management on the risks of cyber-related exposures, the study concludes.

Most respondents classify themselves as risk managers (58 percent), followed by risk-management department professionals at 17.8 percent and enterprise risk managers at 8.7 percent.

While information security and cyber risks are widely acknowledged as serious concerns by respondents, cyber liability insurance is not purchased by a majority of organizations.

When asked “Does your company buy cyber liability insurance?” 35.1 percent of respondents say yes while 60.1 percent say no. In larger organizations ($1 billion in revenue and above) only a slightly higher percentage respond yes, at 36 percent, compared to 34 percent of the smaller organizations.

Of organizations that currently do not purchase cyber liability insurance, when asked “Are you considering buying this coverage in the next year?” 24.3 percent respond yes, 52 percent say no and 23.6 percent answer that they do not know, according to the survey.

Comments

Resource Center

View All »

Contractors General Liability Coverage 102

What is a prior work exclusion? Which option is right for my client? Why do...

Sign up today to get a 50% matching credit -...

Insurance marketing sometimes seems like it's a game of swings and misses, but we're here...

Guide: 5 Steps to Selling Cyber

Cyber risk and data security is on the agenda of every business owner and executive....

Citation Correlation

Do rigger and signalperson qualifications correlate with the cause of crane and rigging accidents? ...

Complete Guide to Electronic Signatures in Property & Casualty Insurance...

In property and casualty insurance, closing new business quickly is key. Learn how to leverage...

INSTANT ACCESS: Complimentary Sales Closer Questionnaires

Help property owners or managers compare your commercial residential property insurance coverage vs. the competition....

Determining Vacant Property Perils and Valuations

Are your clients fully covered for Vacant Properties? In this economic climate, your insureds may...

Risk Management for Law Firms

This package of 3 concise risk management articles offers straightforward content and practical suggestions law...

Guide: Top 15 E&O Risks-And How To Avoid Them

Accidents happen. But when it's an errors and omissions oversight, that accident can open your...

We'll Show You How to Reach Your Sales Goals

Whether you work alone or have a team of agents working for you, we can...

Looking for Markets?

Search Kirschner’s Insurance Directory to help service your hard to place risks.

497 Risk Categories | 70,000 P&C Insurance Markets

kirschners
Specialty Markets Insight eNewsletter

Receive updates and analyses on hard to place and challenging coverages. Sign Up Now!

Advertisement. Closing in 15 seconds.