Many companies in Europe do not give sufficient attention to cyber risks: survey

Approximately three-quarters of surveyed respondents, almost all in Europe, reported that information security and privacy have become more significant areas of concern in the past three years.

“Many companies still do not devote sufficient attention to cyber risks, despite an increase in frequency, scope and sophistication – and harsher penalties for lack of regulatory compliance and loss of sensitive data,” notes a statement issued this week by the Federation of European Risk Management Associations (FERMA), which brings together 22 national risk management associations in 20 European countries.

Findings come from research conducted in association with FERMA by Harvard Business Review Analytic Services (HBR), Zurich Insurance Group and PRIMO, a public sector risk management organization, the statement notes. The analysis reflects a HBR web-based survey of 152 respondents involved in risk management for their organizations, virtually all based in Europe, carried out last summer.

“Too often, I have seen well-embedded principles and practices associated with risk management and risk financing discarded when the subjects of information security and specifically cyber security are considered,” says Julia Graham, a FERMA board member who led the federation’s participation in the project.

Related story: Companies have a gap in perception of data breach costs: survey

Results from the survey, conducted by HBR and sponsored by Zurich, are detailed in Meeting the Cyber Risk Challenge:

• just 19% of respondents have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy issues – traditional insurance policies, like commercial general liability insurance, do not cover cyber crime and security and information risks, yet more than 60% of respondents said their companies had not plans at all to purchase coverage;
• only 44% of respondents reported their company’s budget for these risks has grown;
• only 16% of companies covered in the survey have designated a chief information security officer to oversee cyber risk and privacy; and
• less than half of respondents, 49%, agree they have a strategy for communication to the general public in case of a cyber risk incident.

There are many ways in which data can be lost, stolen or misappropriated, notes the survey report. Respondents highlighted the following top 10 information security and privacy threats: malware and other viruses, 72%; administrative errors or mistakes by employees, 48%; incidents caused by third-party suppliers that provide data services to your organization, 34%; malicious activity by employees, 31%; attacks against web applications, 30%; theft or loss of mobile devices, 28%; internal hacker, either an employee or contractor, 26%; stealth attacks by organized crime, terrorists or nation states, 25%; standard phishing attack, 22%; and attacks or infiltration using mobile devices, 20%.

The report states that three out of four organizations “have introduced new IT infrastructure, and more than two of three now regularly update their antivirus software, while a similar proportion have introduced secure configurations for network devices such as firewalls, routers and switches.”

FERMA reports a majority of survey respondents indicated that board involvement is growing in their organization. With regard to how often boards receive regular updates on key issues concerning information security and privacy risk management, a survey chart indicates 17% of respondents noted once a month; 58% said once a quarter; 23% reported once a year; and 12% noted less often.

Related story: More organizations taking multi-department approach to cyber risk: survey

“They must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance,” the report concludes. When insurance coverage has been purchased, the report notes, the top five types identified by respondents are third-party liability, 60%; regulatory investigation: defence costs, 33%; business income loss, 26%; privacy breach expenses (notification, call centre, forensic costs, etc.), 26%; and Internet media liability, 22%.

Regulation and compliance concerns appear to be driving much of organizations’ planning as it relates to cyber risk. Respondents placed among their top five concerns business income loss (39.5%), the cost of restoring crucial proprietary electronic information (35.5%), legal defence and settlement costs from third-party claims (34.9%), costs to comply with regulatory settlements (30.9%), and costs to defend against regulatory investigations (30.3%).

However, “awareness and attention to cyber risk may not be penetrating fast enough to all levels of the organization to keep the risk of such events under control,” the report states. “Only 36.3% of survey respondents said their organization conducts information security and risk training at the enterprise level for all employees, and less than half said it occurs either annually or biannually.” The lag was even more pronounced in the public sector.

“Bringing together all of the organization’s stakeholders in cyber security is key to designing an effective process for forestalling cyber risk and responding when an event occurs,” notes the survey report. “The solutions need not be highly complex. Much can be accomplished simply by regularly training and educating employees and taking commonsense measures.”