The threat of a cyber breach moves more quickly than the blinkof an eye.

It affects business of all sizes and across all industries— and hackers are becoming more creative, as seen in therecent online attacks on Domain Name Sytem provider DynInc. 

But what do businesses really think about cyber threats and howare they responding? According to a recent survey by Zurich North America and Advisen,released Oct. 27 at the Advisen Cyber Risk Insights Conference inNew York City, more businesses are aware of the risk and a need todo "something," even if they don't agree on what that "something"is.

According to the survey results, the overall upward trend oforganizations purchasing what it describes as network security andprivacy "cyber" insurance continued in 2016. The proportion ofcompanies buying security and privacy insurance has increased by 85percent, from 35 percent of companies purchasing coverage in 2011to 65 percent in 2016.

Survey results, however, appear to indicate that the market isslowing — up only 7 percent from 2015 compared with an 18percent increase in 2014.

Majority sees cyber as 'significant'threat

The survey also found a strong connection between industrieswith substantial personally identifiable information, personalhealth information, or personal financial information and theirunderstanding of data security risks.

Almost all the boards of directors (93 percent) and C-suiteexecutives (95 percent) in health care, finance and banking, retailand communications — those industries that rely heavily on personaldata — say that cyber risks are a significant threat. Incomparison, 79 percent of boards and 80 percent of C-suiteexecutives from all other industries surveyed view cyber risk as asignificant threat.

Other findings

The results of the survey also included:

• |
  • Among all respondents, 87 percent believe a technologyinterruption would have a moderate-to-significant effect on theirbusiness, while 13 percent don't see technology interruption aseven having a moderate effect.
  • General counsel took over from information technology as thedepartment most frequently responsible for assuring compliance withall applicable federal, state or local privacy laws, includingstate breach notification laws, for the first time since the surveybegan in 2011.
  • Nearly all the companies surveyed (97 percent) clearlyrecognize the importance of collaboration between their riskmanagement and information technology departments on issues relatedto cybersecurity.
  • For 36 percent of respondents, "expenses/fines related to abreach of customer/personal information" are the leading reason forpurchasing security and privacy insurance.

Risk awareness doesn't equal risktransfer

PropertyCasualty360.com interviewed Erica Davis, head ofspecialty errors and omissions for Zurich North America, to gainsome additional insights about the survey:

PC360: Were any of the survey resultssurprising to you?

Erica Davis: Businesses and senior leadershipattitudes toward cyber have evolved. They are keenly aware of theimpacts of network interruption or other cyber exposures. Yet thatis not necessarily translating to a risk transfer solution. Eventhough there is growing hyperconnectivity — increased reliance ontechnology — there are businesses that still have not made thedecision to purchase a product to help mitigate growing nature ofnetwork interruption impact.

PC360: The responses break down byindustry to a certain extent. Were there industries that youexpected would have a higher uptake in cyber coverage?

Davis: As indicated, organizations with greateramounts of personally identifiable information and personal healthinformation appear to purchase cyber coverage more frequently.There could be even more attention to these industries in thefuture due to regulatory developments, especially financialinstitutions. I expect to see a trend toward more focus on networkinterruption and corporate confidential information, which maytrigger a change to buying patterns with the manufacturing segmentor law firms.

PC360: What department — IT, riskmanagement, general counsel, finance or HR, for example— is most often taking the lead on educating employees onhow to avoid data breaches?

Davis: We most often find IT taking the lead ondata breach awareness and the general counsel taking the lead onprivacy awareness. The trend we are encouraged to see is theincreased appreciation of how cyber risk education and responseneed to be a multi-departmental approach and they have to beembedded into the organization's culture.

PC360: How can agents and brokers help theirsmall to midsize business clients — for example, physician ordental practices, or retail boutiques — understand and mitigate therisks? I'm thinking about the local dry cleaner with 10 locationswho picks up and delivers and keeps customers' credit cards onfile, for instance, or a local liquor store "chain" with 20locations that accepts credit cards and maintains a loyalty list ofcustomers.

Davis: It really does come back to helpingbusinesses understand and protect themselves from risk. I adviserisk mapping here. Small and midsize businesses need helpunderstanding what downtime could mean to their operations and whatcosts are associated with that down time. They need to understandhow many records they're holding — and what those costs could be ifthat sensitive information is compromised.

This is an opportunity for the insurance community to helpbusinesses quantify the exposure and provide risk mitigationguidance that better protects these businesses from cyber risk.

PC360: What do you want readers to take awayfrom the survey results?

Davis: There is a lot of great information inthe survey results, and I encourage those interested to take thetime to look through the responses to find what might most interestthem.

But overall it's important for them to see that greaterawareness and deeper discussion of cyber risk has generatedincreased role clarity — for example, IT is no longer cited as mostresponsible for breach notification. Businesses may keep currentwith awareness of escalating threats — malware, for instance — butthey haven't necessarily responded by consistently offeringemployee training. There is still work to be done on understandingcyber risk and developing action items on what that means to yourbusiness. There is no one-size-fits-all approach.

Readers should also see that there continues to be a need forbusinesses to build on their resilience efforts. The survey showsus that businesses overall are recognizing the additional threat ofengineering tactics such as phishing and spear phishing emails toemployees, with 50 percent of respondents indicating that"employees unintentionally infecting their network with malware"was a high or extremely high risk and the top concern of surveyrespondents. But even with a high level of concern about the humanelement, the survey shows that approximately 21 percent ofrespondents say they still don't have an employee education programin place.

Ultimately, creating a mindset of resilience is a key componentto building a cyber-related risk mitigation strategy.

You can see the complete results of the survey, "InformationSecurity and Cyber Liability Risk Management: The sixthannual survey on the current state of and trends in informationsecurity and cyber liability risk management," at Zurich NorthAmerica's website.

Save

Save

Save

Save