Although cyber-risk management is recognized as an enterprise-wide responsibility by many organizations, the IT department still is seen as the front-line defense against information losses and other cyber-liability risks, according to an industry survey of risk-management professionals.
The Zurich-sponsored survey, “A New Era in Information Security and Cyber Liability Risk Management,” concludes that this may represent “a significant deficiency in emergency-response planning,” noting that the IT department often is not equipped to interpret notification requirements of dozens of states and to marshal the resources necessary to fulfill the requirements of each state following a major breach.
The majority of the 503 respondents recognized the entire organization is responsible for mitigating cyber risks: 57.2 percent responded yes when asked, “Does your organization have a multidepartmental information-security risk-management team or committee?” About 34 percent said no.
But of those who answered the question “Which department is primarily responsible for spearheading the information-security risk-management effort?” 73.2 percent indicated it is the responsibility of the IT department, followed by only 13.2 percent who said it is the risk-management/insurance department’s responsibility.
A total of 86 percent of respondents agreed that cyber and information-security risks pose at least a moderate danger to their organization. However, while information security and cyber risks are widely acknowledged as serious concerns by respondents, cyber-liability insurance is not purchased by a majority of organizations.
When asked “Does your company buy cyber-liability insurance?” 35.1 percent of respondents said yes while 60.1 percent said no. In larger organizations ($1 billion in revenue and above) only a slightly higher percentage respond yes, at 36 percent, compared to 34 percent of the smaller organizations.
About 24 percent of current non-buyers said they are considering a purchase next year.