Cyber-risk – fewer than 20% of organisations have insurance cover

More than three in four (76%) organisations say they have become more concerned about information security and privacy over the past three years - but only 19% have purchased insurance specifically designed to cover these exposures, according to new research commissioned by Zurich.

Worryingly, only 16% of companies have designated a chief information security officer to oversee cyber risk and fewer than half (44%) have increased their budget to tackle the problem.

The sheer number of ways in which data can be lost, stolen, or misappropriated illustrates the prevalence of the cyber threat. Respondents rated each of the following in order of frequency as being among the most serious information security concerns for their organisations:

1. malware and other viruses
2. administrative errors
3. incidents caused by data providers
4. malicious employee activity
5. attacks on Web applications
6. theft or loss of mobile devices
7. internal hackers.

Despite malicious employee activity being one of the most serious concerns, only just over a third (36%) of survey respondents said their organization conducts information security and risk training at enterprise level for all employees and less than half (46%) said the training occurs either annually or biannually.

Interestingly, regulation and compliance concerns appear to be driving much of organisations’ planning around cyber risk. While survey respondents most frequently placed business income loss and the cost to restore crucial proprietary electronic information among their top five concerns, the next three concerns were all related to legal liability:

• legal defence and settlement costs from third party claims,
• costs to comply with regulatory settlements,
• and costs to defend against regulatory investigations.

Steve Wilson, Chief Risk Officer for General Insurance, Zurich Insurance Group said:

“The enormous expansion in the availability of information presents unprecedented opportunities and challenges for business and government. As well as regulatory responsibilities to protect proprietary information, organisations have a duty of care to ensure their measures are robust. Furthermore, companies are exposed to the risk of a significant decline in stock price compared with industry peers following a cyber security breach as a result of the negative reputation impact.

“Cyber risk comes in a bewildering variety of forms for organisations and we hope this research will provide risk managers with important insights into this critical issue. As the survey shows, it is essential that organisations do not fall into the trap of a top-down approach, taking a holistic approach which engages all employees to meeting this challenge”.

The research was carried out for Zurich by Harvard Business Review Analytic Services. The Web-based survey was conducted with 152 respondents from both private sector and public sector organisations involved in risk management for their organization. Virtually all respondents were based in Europe. Data was collected between July and September 2012.

‘Meeting the Cyber Risk Challenge’, the full report of the Zurich-commissioned survey by Harvard Business Review Analytic Services, in association with FERMA and PRIMO, Can be downloaded here >