Companies only protecting 12% of IT assets compared to 51% of tangible property assets: study

Information technology assets are 39% more exposed than property assets on a relative value to insurance protection basis, according to a new study released on Monday by the Ponemon Institute, a privacy, data protection and information security firm in Traverse City, MI.

The 2015 Global Cyber Impact Report – sponsored by Aon plc, a global provider of risk management and human resource consulting and outsourcing – surveyed more than 2,200 companies in 37 countries, including the global regions of North America, Europe, Middle East, Africa, Asia, Pacific, Japan and Latin America. The report found that while cyber is one of the fastest growing risks for companies across the globe, and information technology assets are often as valuable as property assets, companies are only protecting 12% of IT assets compared to 51% of tangible property assets.

“This survey is unique as it focused on the relative financial statement impact of cyber incidents compared to tangible asset vulnerabilities,” said Kevin Kalinich, global practice leader for cyber/network risk at Aon Risk Solutions, in a press release. “The explosion of cloud computing, mobile devices, big data analytics and the Internet of Things is creating enterprise risk management issues that are rapidly growing with the increased use of information assets and technology. Companies large and small are advised to consider cyber threats in this perspective.” [click image below to enlarge]

The report found that while 50% of respondents said that their company would disclose the loss of property, plant and equipment (PP&E) in its financial statements, 34% said a material loss to information assets does not require disclosure.

Despite the risk, companies are reluctant to purchase cyber insurance coverage, the report noted. Even though 52% of respondents believe their companies’ exposure to cyber risk will increase over the next two years, only 19% of respondents said their company had cyber insurance coverage (with an average limit of US$13 million). 

“The perception of the risk is interesting,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute in the release. “It’s clear that there is a risk and losses can be anticipated, but organizations are not insuring against the risk.” [click image below to enlarge]

Other study findings include the following:

• 37% of companies surveyed experienced a “material or significantly disruptive security exploit or data breach one or more times during the past two years and the average economic impact of the event was $2.1 million”;

• Five years from now the projected growth in the use of internet-connected devices will grow from 10 to 50 billion;

• Only 24% of respondents are fully aware of the consequences that could result from a data breach or security exploit in other countries in which their company operates and 20% said they are not aware;

• The most frequent type of incident was a cyber attack that caused disruption to business and IT operations (48% of respondents) followed by 35% of respondents who say it was a system or business process failure that caused disruption to business operations; and

• 54% of respondents do not have plans to purchase cyber insurance.