The Risk and Insurance Management Society (RIMS) has issued the results of their 2015 survey on cyber exposure, purchasing of cyber insurance, and managing cyber risks. Registered users can download the report from here. However, you may want to read this review before troubling to register. The report is good in parts, but thin overall.
The report covers all industries; only 3 of the 284 respondents identified themselves as working in the telecommunications sector. However, the data is useful for understanding what big businesses are doing to mitigate cyber risks. 58 percent of respondents said their company’s annual revenues exceeded USD1bn.
Reputational harm ranked as the most common first party cyber risk, with 79 percent identifying the exposure. Disclosure of personally identifiable information ranked as the top third party cyber risk, as recognized by 88 percent of respondents.
Just over half had mitigated their cyber risks with a standalone cyber insurance policy, but most of these provided less than USD20mn of cover.
89 percent stated they had a plan for how to deal with a cyber crisis. Of those who had plans, 95 percent involved the IT function in their response, 86 percent involved the Legal team, 79 percent involved the Risk Management function, and 73 percent involved Public Relations. However, just 32 percent involved a privacy officer, suggesting that a minority of firms have appointed someone to perform that duty.
Primary accountability for cyber security rested with the Chief Information Security Officer in 87 percent of firms. The Chief Risk Officer was accountable in 5 percent of firms, and a more junior risk manager was accountable in another 4 percent of businesses surveyed.
The chief method of evaluating cyber security was risk assessments, as conducted by 77 percent of respondents. 62 percent had an in-house committee to evaluate cyber security. 52 percent engaged external vendors to evaluate cyber security, and 51 percent benefited from evaluations as part of their audit process.
The main problems with this report stem from the weaknesses of RIMS as an organization. RIMS refer themselves as the risk management society, playing down their connection with the insurance industry, but this report asks lots of questions relating to insurance for cyber liabilities. At the same time, RIMS are keen to state they are a global organization, with members in over 60 countries. However, most of those members are in North America, and that bias is evident both in the choice of questions, and also the failure to present a geographical breakdown of survey respondents.
Whilst there were many questions about insurance, there was little drilling into detail around other important topics, like organizational relationships for cyber risks, and how the evaluation of such risks is reported and escalated.
It is worth taking a look at this report if you want to overhaul how your business manages cyber risks, or if you want an easy way to gauge current norms in North America. If you need more detailed guidance, there are better resources elsewhere, such as the survey conducted by Protiviti and North Carolina State University into executive perceptions of risk.