Every day the reports of cyber attacks become more alarming.

According to a federal employee union, as reported by AP, on June 11 the recent cyber attack of Office of Personnel Management data gave the hackers access to personal identifiable information about every government employee. No one can be sure what’s next, but one thing is for sure: risk managers have to be prepared for a cyber incident sooner rather than later.

To assess risk management strategies among its members, RIMS conducted its first cyber survey, asking about insurance investments, exposures, cyber security ownership and government involvement, as well as identification methods and response procedures.

The survey was answered by 284 of RIMS’ professional members in the United States. The majority of the survey respondents represented organizations with more than $1 Billion in revenue (58%), from a wide-range of industries, with most in manufacturing (16%) and financial services (13%).

Here are some key findings:

  • 51% of respondents purchase stand-alone cyber insurance policies
  • 58% of those with cyber insurance policies carry less than $20 million in cyber coverage, while 49% of those are paying more than $100,000 in premium
  • 74% of those without cyber coverage are considering obtaining coverage in the next 12 to 24 months
  • 77% of respondents credit Enterprise Risk Management (ERM) for identifying cyber risk


Source: RIMS Cyber Survey 2015

The top three first-party exposures reported are:

  • Reputational harm (79%)
  • Business interruption (78%)
  • Data breach response and notification (73%)


Source: RIMS Cyber Survey 2015

“It seems like every day risk professionals are confronted by new cyber attacks and forced to take immediate action to protect their organizations before it’s too late,” said RIMS President Rick Roberts. “The key to successfully mitigating the impact of a cyber-breach—or even preventing one in the first place—is knowledge. RIMS Cyber Survey offers the global risk management community valuable insight, showing how organizations are trying to stay ahead of this top concern.”


(Photo: Shutterstock/arka38)

Cyber coverage

The survey posed several questions related to cyber insurance coverage and risk transfer. When asked whether their organization transfers the risk of cyber exposure to a third party, 58% answered yes. Of the respondents, 51% said they had a stand-alone cyber insurance policy. Of that nearly 51%, only 8% answered yes when asked whether their purchase of cyber insurance was the result of contractual obligations.

[Related: The Ideal Target Client for Cyber Cover]

The cyber insurance policies that survey respondents are buying include the following coverages:

  • Breach notification costs (91%)
  • Cyber extortion (80%)
  • Network/business interruption (80%)
  • Data recovery (75%)
  • Fines and penalties (75%)
  • Reputational harm (44%)
  • Professional liability (43%)
  • Theft of trade secrets (29%)

Two-thirds of respondents (66%) with no stand-alone cyber insurance policies answered no when asked whether cyber liability coverage is included in their other purchased policies. For the one-third that did have some form of coverage, it was included in the following policies:

  • E&O (48%)
  • Commercial general liability coverage (34%)
  • Property damage (34%)
  • D&O (20%)

Chalkboard-with-regulations-and-hand-shutterstock_249494746-Nenov Brothers Images

(Photo: Shutterstock/Nenov Brothers Images)

Responsibility versus accountability

Survey respondents noted that the primary responsibility for cyber security within their organizations rested most often with the information technology department (53%), followed by the information security department (41%). Only 5% of companies put the primary responsibility in the risk management department.

Less than 4% of risk managers had primary accountability for cyber security. Accountability in most organizations (87%) rested with the chief information security officer.

Government regulation

The survey respondents held strong views about the appropriate level of federal and state government regulation. Privacy issues were at the top of the list for 73% of the respondents as an area in which the federal government should regulate or legislate cyber risk. Legal liability, fines and penalties were important to 58%, while 42% thought the federal government should regulate information security requirements. When asked about state government regulation of cyber risk, 59% said privacy issues, 50% said legal liability, fines and penalties, and 33% said information security requirements.

The survey also asked about areas that were not appropriate for state or federal regulation. The majority (80%) put reputational issues first, followed by loss of business (79%) and business interruption (69%).

How would you have answered the questions? To compare your organization with the respondents, you can see the full survey, available to both RIMS members and non-members, in the RIMS Risk Knowledge library.