NU Online News Service, Oct. 18, 1:09 p.m. EDT
Although information security and cyber-risk management is recognized as an enterprise-wide responsibility by many organizations, the information technology (IT) department still is seen as the front-line defense against information losses and other cyber-liability risks, according to an industry survey.
More than two-thirds of respondents say their organizations have a disaster-response plan in place in the event of a major breach. For 41 percent of respondents, the role of the IT department includes fulfilling state data breach notification laws following a breach.
The survey concludes that this may represent “a significant deficiency in emergency-response planning,” noting that the IT department often is not equipped to interpret notification requirements of dozens of states and to marshal the resources necessary to fulfill the requirements of each state following a major breach.
Sponsored by Zurich and administered by Advisen Ltd., the survey, “A New Era In Information Security and Cyber Liability Risk Management,” was conducted for one week, beginning Sept. 26, 2011 and ending Oct. 3, 2011.
The survey was designed to create a framework for identifying and addressing cyber risks throughout an organization and was completed, at least in part by 503 respondents.
The majority of survey respondents recognize the entire organization is responsible for mitigating these risks. When asked, “Does your organization have a multi-departmental information security risk management team or committee?” 57.2 percent respond yes and 34 percent say no.
The departments or functions most likely to have representation in the information security risk management team are IT with 95.9 percent, risk management/insurance 78.1 percent, general counsel 65.7 percent, internal audit 55 percent, treasury or chief financial officer 30.2 percent, other 23.1 percent, investor relations 10.7 percent, marketing 10.1 percent, sales 8.9 percent and 3 percent say they did not know.
Of those who answered the question “Which department is primarily responsible for spearheading the information security risk management effort?” 73.2 percent see it as the responsibility of the IT department, followed by 13.2 percent who say it is the risk management/insurance department’s responsibility.
A total of 86.0 percent of respondents agree that cyber and information security risks pose at least a moderate danger to their organization, according to the survey.
Smaller companies (with revenue less than $250 million) view cyber risks less seriously than the largest companies (revenue greater than $10 billion), with 79.3 percent of smaller companies saying the risks pose at least a moderate danger compared to 97.2 percent of large companies.
Of the total respondents, 71.7 percent say information security risks are a specific risk-management focus within their organization. In the opinion of the survey respondents, however, the threat is viewed less seriously by key decision-makers.
This suggests that more education may be necessary with upper level management on the risks of cyber-related exposures, the study concludes.
Most respondents classify themselves as risk managers (58 percent), followed by risk-management department professionals at 17.8 percent and enterprise risk managers at 8.7 percent.
While information security and cyber risks are widely acknowledged as serious concerns by respondents, cyber liability insurance is not purchased by a majority of organizations.
When asked “Does your company buy cyber liability insurance?” 35.1 percent of respondents say yes while 60.1 percent say no. In larger organizations ($1 billion in revenue and above) only a slightly higher percentage respond yes, at 36 percent, compared to 34 percent of the smaller organizations.
Of organizations that currently do not purchase cyber liability insurance, when asked “Are you considering buying this coverage in the next year?” 24.3 percent respond yes, 52 percent say no and 23.6 percent answer that they do not know, according to the survey.