NOVEMBER 2014 CYBER & DATA SECURITY RISK SURVEY CONTENT:

Similar documents
Aftermath of a Data Breach Study

ACE European Risk Briefing 2012

Third Annual Study: Is Your Company Ready for a Big Data Breach?

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

Is Your Company Ready for a Big Data Breach?

How To Understand The State Of Business Continuity Preparedness

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

CYBERSECURITY: Is Your Business Ready?

MARSH REPORT October International Business Resilience Survey 2015

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

WHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Rogers Insurance Client Presentation

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Backup & Disaster Recovery

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

SMALL BUSINESS REPUTATION & THE CYBER RISK

research report: field service, mobility & the cloud

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

BAE Systems Cyber Security Survey Report

Data Security for Retail Consumers Perceptions, Expectations and Potential Impacts

Cybersecurity. Are you prepared?

INFORMATION SECURITY CYBER LIABILITY RISK MANAGEMENT. October Sponsored by:

Achieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014

2014 REPORT ON THE STATE OF DATA BACKUP FOR SMBS

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Confident? 5 common misconceptions about backup and recovery that put your organisation at risk

WEBSITE SECURITY IN CORPORATE AMERICA Automated Scanning

The economics of IT risk and reputation

2015 Travelers Business Risk Index. Findings from a survey of U.S. business risk decision makers May 2015

Service Availability Metrics

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

Employing Best Practices for Mainframe Tape Encryption

MEETING THE CHALLENGE OF DATA MANAGEMENT

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

UK 2015 Cyber Risk Survey Report

CYBER LIABILITY INSURANCE MARKET TRENDS: SURVEY. October Sponsored by:

Mitigating and managing cyber risk: ten issues to consider

How To Find Out What People Think About Hipaa Compliance

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

Avoiding The Hidden Costs. of the Cloud

Plan of Attack 5 Step Plan

Business protection. Supporting resilient business plans.

Law Firm Cyber Security & Compliance Risks

State of Cloud Survey SOUTH AFRICA FINDINGS

Data Recovery Service Providers: The Low Profile, High Impact Risk to Enterprise Security

BIG SHIFT TO CLOUD-BASED SECURITY

Defining the Gap: The Cybersecurity Governance Study

Data Security in Development & Testing

Instructions for Completing the Information Technology Officer s Questionnaire

What SMBs Don t Know Can Hurt Them Perceptions vs. Reality in the New Cyber Threat Landscape

Are CAATs keeping you awake at night?

IT SECURITY RISKS SURVEY 2014: A BUSINESS APPROACH TO MANAGING DATA SECURITY THREATS

OUTLOOK: PERSPECTIVES ON TOPICAL RISK AND INSURANCE ISSUES FOR UK CORPORATES

The State Of Business Continuity Preparedness

Cyber Insurance Survey

Finding a Cure for Medical Identity Theft

Software License Management: 2012 Software License Management Benchmark Survey SOLUTION WHITE PAPER

RISK MITIGATION SERVICES. Take-and-Use Guidelines for Chubb Crime Insurance Customers

Avoiding The Hidden Costs

Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014

Corporate Security in 2016.

2014 HIMSS Analytics Cloud Survey

CYBER SECURITY: NAVIGATING THE THREAT LANDSCAPE

2014 State of IT Changes Survey Results

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT)

White Paper on Financial Industry Regulatory Climate

BEST PRACTICE GUIDE TO SMALL BUSINESS PROTECTION: BACKUP YOUR SMALL BUSINESS INFORMATION

Impact of Data Breaches

Who s next after TalkTalk?

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

CYBER SECURITY, A GROWING CIO PRIORITY

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am

Anatomy of a Privacy and Data Breach

AT&T s Business Continuity Survey: 2008

Defining Data Security in 2015 and Beyond

THE MATH OF FRAUD PREVENTION PESENTATION TO COMPANIES/CO-OPERATIVES ON A FRAUD PREVENTION STRATEGY

The Impact of Cybercrime on Business

Whitepaper. The Missing Piece of Absence Management Turning Data into Dollars

Exposing the hidden cost of Payroll and HR Administration A total cost of ownership study

Remarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014

Cyber Risks October

Acronis Digital Assets Research Findings: Unveiling Backup & Recovery Practices across Europe

Examining the Dangers of Complexity in Network Security Environments AlgoSec Survey Insights

Meeting the Information Security Management Challenge in the Cyber-Age

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

Security Metrics to Manage Change: Which Matter, Which Can Be Measured?

CFO Changing the CFO Mindset on Cybersecurity

The Unintentional Insider Risk in United States and German Organizations

Cherwell Software Software Audit Industry Report

OECD PROJECT ON CYBER RISK INSURANCE

The State of Data Security Intelligence. Sponsored by Informatica. Independently conducted by Ponemon Institute LLC Publication Date: April 2015

I ve been breached! Now what?

Reputation Impact of a Data Breach U.S. Study of Executives & Managers

Social Media s Role in Crisis Management: A Call for Greater Legal Vigilance

74% 2014 SIEM Efficiency Survey Report. Hunting out IT changes with SIEM

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

Transcription:

NOVEMBER 2014 CYBER & DATA SECURITY RISK SURVEY CONTENT: 2 KEY FINDINGS 3 PREVALENCE OF CYBER LIABILITY INSURANCE POLICIES 4 MOST EMPLOYERS FACE SUBSTANTIAL CYBER RISK 7 KNOWLEDGE AND PERCEPTION MATTER 7 THOSE WITH CYBER LIABILITY POLICIES TAKE PREVENTIVE MEASURES MORE SERIOUSLY

CYBER & DATA SECURITY RISK SURVEY REPORT 2014 CYBER & DATA SECURITY RISK SURVEY Marsh & McLennan Agency (MMA) recently completed a survey of 582 companies across the United States, asking about their perceptions of and exposures to cyber risk. The respondents were from small and midsize companies in a variety of industries. While headlines tend to focus on very large, household-name organizations, small and midsize employers can be more vulnerable to cyber-crime and unable to recover given the average cost of more than $200 per compromised record 1. This is the second such survey done by MMA, with a goal of helping small and midsize employers understand how they compare to others in regards to their cyber exposures and overall understanding of their risk. The first study was done in early 2013, was smaller (167 respondents), and was focused largely in Minnesota, with 82% of respondents based in the state. 582 small and midsize employers across the U.S. took part in the survey: Average/Median Revenue = $32.4M/$5M Average/Median Employees = 1648/ Employers with cyber liability insurance in place are more knowledgeable of the coverage, more aware of their own risks, and have greater protective measures in place than those without coverage. KEY FINDINGS Despite numerous major data breaches gaining substantial press in the recent past (Target, Home Depot, Goldman Sachs, etc.), most respondents remain relatively unaware of the cyber and data risks facing their own organizations or consider these risks to be inconsequential. Respondents overall do not consider themselves well-informed of this type of coverage. The prevalence of cyber liability policies among small and midsize employers is increasing, though two-thirds still do not have this kind of protection. Last year, only 16% reported having a cyber liability policy in place compared to 33% this year. While this is good news, employers seem to be at high risk, given the number of risks they face and their levels of preparedness for dealing with the aftermath or preventing a breach. Interestingly, respondents who have in place cyber liability insurance policies not only consider themselves more cognizant of the cyber-risks facing their organization, but also report having better measures in place to proactively reduce their risk of data breach. Not surprisingly, they also have greater exposures than respondents overall. In short, they are more cyber risk-aware than are those without such policies. 1 Ponemon Institute, 2014 Cost of Data Breach Study: United States. 2 Marsh & McLennan Agency

NOVEMBER 2014 PREVALENCE OF CYBER LIABILITY INSURANCE POLICIES As mentioned above, 33% of respondents reported having a cyber liability policy in place, which is a substantial increase over last year s survey. This coincides with respondents reporting an average need for coverage of 2.86 on a five-point scale, based on their admitted low level of understanding of the coverage (2.66 out of 5) and over zealous estimation of their own security (3.06 out of 5). This survey shows that employers are, in fact, facing substantial risk, and are arguably underestimating their risk and overestimating their levels of security. DO YOU HAVE CYBER LIABILITY INSURANCE? No (67%) Yes (33%) INDUSTRY DIFFERENCES There are notable industry differences when it comes to having cyber insurance. On the high end of the spectrum, 88% of respondents in the financial services industry have a policy in place while less than 17% of those in construction do so. Not surprisingly, the industries more likely than the 33% overall average likelihood (in this survey) to have a cyber policy include (from most likely to least): Financial Services Health Care Public Administration/Government/Schools Technology Nonprofit Hospitality Those industries less likely than the 33% overall average likelihood to have a cyber policy include (from most likely to least): Retail Other Professional Services Wholesale Trade Manufacturing Percent (%) 80 60 40 20 0 88 Financial Services EMPLOYERS WITH CYBER LIABILITY INSURANCE BY INDUSTRY 53 50 50 42 Health Care Public Administration/School Districts Technology Nonprofit Hospitality 38 31 30 29 26 Other Retail Other Professional Services Wholesale Trade 20 20 17 17 0 Manufacturing Transportation Construction Real Estate Agriculture Transportation Construction Marsh & McLennan Agency 3

CYBER & DATA SECURITY RISK SURVEY REPORT Real Estate Agriculture Retail in the less-likely group is a bit of a surprise because retail is typically considered to be an industry with relatively high cyber liability insurance adoption. It should be remembered, however, that this survey is of small and midsize employers. The retailers in this survey these had a median employee count of. CLAIMS It is interesting to note that 5.2% of those with policies have made a claim, a high number. Those who ve made claims have fewer median employees and lower median revenues than the overall group of respondents, and none reported being unsatisfied with how the insurance performed. CLAIMS BY INDUSTRY are substantially greater (89.9% and 64.7% respectively) than those without policies (average = $28.0 million, median = $4.3 million). Also, their median employee count (350) is more than three and a half times that of those without policies (81). Interestingly, though, the average number of employees is lower for those with policies (1556) than those without (1749). EMPLOYERS WITH CYBER LIABILITY INSURANCE POLICIES BY SIZE Median # EEs Avg. # EEs Median Revenue Avg. Revenue Employers with Cyber 350 1556 $7.0 M $53.2 M Liability Insurance Employers without Cyber 81 1749 $4.3 M $28.0 M Liability Insurance ALL EMPLOYERS 1648 $5.0 M $32.4 M 10% 10% 10% 10% 20% 40% Manufacturing Technology Other Professional Services Transportation Nonprofit Health Care MOST EMPLOYERS FACE SUBSTANTIAL CYBER RISK More than 80% of respondents face five or more cyber risks (as defined in this survey), with more than half exposed to seven or more, and more than a third exposed to eight or more. These numbers are slightly higher than last year s survey. While not meant to be an exhaustive list, the risks included in the survey were: Processing credit card transactions. Those that have made a claim break out by industry as follows: Health Care 40% Nonprofit 20% Transportation 10% Other Professional Services 10% Technology 10% Manufacturing 10% SIZE DIFFERENCES Employers with cyber policies tend to be larger by most measures. Their average ($53.2 million) and median ($7.0 million) revenues Holding past or present employee records. Processing/accessing banking information. Respondents 120 80 60 40 20 0 14 One CYBER RISK EXPOSURES PER EMPLOYER 21 Two 31 Three 43 Four 71 Five 91 Six Seven Number of Risk Exposures 108 Eight 62 Nine 29 Ten 4 Marsh & McLennan Agency

NOVEMBER 2014 Having one of more computers connected to the Internet. Having a Web site that collects personal or confidential information from visitors. Holding client or customer information. Holding supplier information. Using the Cloud. Holding information subject to HIPAA. Having employees who use laptops and/or PDAs linked to the employer s network. Many of these are commonplace in today s work environments, and are often considered standard business operations. Each presents risk to an organization, and the more an employer is exposed to, the greater exposure they face. RISK FROM VENDORS & BUSINESS PARTNERS New in this year s survey, employers were asked about their outsourcing practices of business functions that are likely to involve personally identifiable, HIPAA, or other types of information they have and that ought to be protected. They were also asked about any due diligence procedures they follow to ensure their ability to recover damages if one of these service providers suffered a damaging breach. The results are not encouraging. Survey participants were asked whether they outsource the following functions: Credit Card Processing Reservations Insurance Claims Handling/Management Auditing (financial, IT, inventory, etc.) Payroll Billing Employee Benefits Administration IT Accounting or Tax Services Percent of Respondents (%) Percent of Respondents (%) 80 60 40 20 0 60 50 40 30 20 10 0 95 Computer(s) connected to the Internet 58 Accounting or Tax Services 85 Process/access banking information 57 Payroll COMMON CYBER EXPOSURES 75 Hold client or customer information 73 70 Hold past or present employee records Employees use laptops and/or PDAs linked to our network 91 Hold supplier information 58 57 Process credit card transactions 108 45 Hold information subject to HIPAA OUTSOURCED BUSINESS FUNCTIONS 49 Credit Card Processing 46 Auditing (financial, IT, inventory, etc.) 44 43 Employee Benefits Administration IT 38 Insurance Claims Handling/Management 18 Human Resource Functions 108 10 Billing 62 42 Use the Cloud 8 Reservations 26 Web site collects personal or confidential information 2 Other Marsh & McLennan Agency 5

CYBER & DATA SECURITY RISK SURVEY REPORT Human Resource Functions Other Outsourcing is a common practice for small and midsize businesses. Payroll and accounting or tax services are each outsourced by more than 57% of respondents. Credit card processing, auditing, benefits administration and IT services are each outsourced by four out of ten respondents. Two-thirds of respondents reported outsourcing three or more of these, and 34.9% report using providers for five or more functions. Unfortunately, nearly four in ten (39.9%) employers do nothing to ensure their ability to be made whole and collect damages if one of their vendors were to lose or have information compromised for which they were responsible. This number doesn t improve much as the prevalence of providers increases 37% of those using five or more providers still do nothing to ensure their protection, a drop of only three percentage points. Additionally, just fewer than 24% ensure all vendors have accurate and adequate insurance in place. On the bright side, employers are more likely to take protective measures as their number of providers increases. Compared to the norm, employers that outsource five or more of the listed business functions are: 25% more likely to analyze the financial strength of ALL providers. 76% more likely to analyze the financial strength of SOME providers. 71% more likely to have attorney-reviewed contracts in place with SOME providers. 67% more likely to require SOME vendors to have adequate and accurate insurance. While these increases are definitely positive, the overall percentages remain relatively low in each category. Percent of Respondents (%) 40 35 30 25 20 15 10 5 0 PROVIDER/VENDOR DUE DILIGENCE = all respondents = respondents w/ 5+ outsourced vendors 6.4 5.9 Attorney-reviewed contracts are in place with ALL 16.8 9.8 9.5 Attorney-reviewed contracts are in place with SOME 11.8 The financial strength of ALL these providers is analyzed 21.2 12.0 Financial strength of SOME of these providers is analyzed 24.1 23.7 ALL these vendors are required to have proper and adequate insurance in place 20.7 12.4 SOME of these vendors are required to have proper and adequate insurance in place 2.6 3.0 Verbal agreements with ALL these providers 7.9 3.6 Verbal agreements with SOME of these providers 39.9 37.0 We have NOT taken measures to ensure this 3.5 6.2 Other If disaster does strike, 60% of these employers do not have a corporate recovery plan in place. That number dips slightly, to 55%, when looking at just those employers with five or more listed service providers. KNOWLEDGE & PERCEPTION MATTER Cyber risk and cyber security still isn t reliably making it into the executive-level discussions of small and midsize organizations. Nearly one in six (15.3%) never discuss the topic in the c-suite, and an additional 54.1% only discuss it at this level once or twice a year. This leaves less than a third (30.6%) who discuss it quarterly or more often. 25% 5% FREQUENCY OF C-SUITE DISCUSSIONS 15% 54% Often (more than monthly) Regularly (monthly or quarterly) Seldom (semi-annually or annually) Never 6 Marsh & McLennan Agency

NOVEMBER 2014 FREQUENCY OF C-LEVEL CYBER DISCUSSIONS Take NO measures to ensure vendors ability to make whole Analyze ALL vendors financial strength Require ALL vendors to have proper insurance Have contracts in place with ALL vendors Have a corporate recovery plan in place Regularly or Often 19.8% 19.8% 39.0% 11.6% 64.5% Seldom or Never 48.5% 4.9% 18.0% 3.9% 29.0% ALL RESPONDENTS 39.9% 9.5% 23.7% 6.4% 40.0% But when executives have this topic on their radar and discuss it regularly or often at the top levels of their organization, there are numerous correlations apparent in the survey. There are stark differences between those who report seldom or never discussing at the executive level their IT security issues and those who discuss it regularly or often. To illustrate, consider: Nearly half (48.5%) of those who report seldom or never discussing these issues at an executive level take no measures to ensure their outsourced business providers ability to make them whole if the business provider loses or compromises data for which they are responsible, compared to less than 20% of those who discuss these issues regularly or often do nothing. Those who discuss these issues regularly or often are two- to four-times as likely to ensure all vendors have proper insurance in place, have attorney-drafted contracts in place with all providers and analyze the financial strength of every business service provider. Those who discuss this regularly or often are more than twice as likely to have a corporate recovery plan in place. Respondents admitting they don t understand cyber liability insurance coverage are less likely to have measures in place to protect themselves. This lack of understanding is the dominant reason for not purchasing the insurance. Nearly half (48.7%) cite it as a reason, and when combined with those who assume incorrectly that the coverage is included in another policy, the number jumps to 60.8%. Examples of how this lack of understanding correlates with other areas include: 56.3% of those who admit not understanding the coverage have taken no measures to ensure their outsourced business partners ability to compensate them in the events of a breach, compared to 39.9% overall. Only 22.6% of these respondents report having a corporate recovery plan in place, compared to 40% overall. And, interestingly yet not surprisingly, these people are also less likely to discuss cyber security at the executive level. Nearly a quarter (23.1%) of them never discuss cyber security issues at all at that level of their organization, compared to 15.3% overall. THOSE WITH CYBER LIABILITY POLICIES TAKE PREVENTIVE MEASURES MORE SERIOUSLY The survey data suggest that once employers commit to investing in cyber liability insurance policies, they are more likely to understand the potential fallout and take measures to minimize the likelihood of a breach. They are also more likely to take measures to help recover from a damaging breach. Employers with cyber liability insurance policies in place are more likely to have initiated efforts to prevent the likelihood of a breach and additional non-insurance efforts to ensure their ability to recover from a harmful cyber breach. Most striking, perhaps, is the fact that more than two-thirds (67.7%) have a corporate recovery plan in place, which is a 69% better than survey respondents overall, and 155% better than those without policies. CORPORATE RECOVERY PLAN IN PLACE 27% No Yes 32% 73% 68% Without cyber liability insurance With cyber liability insurance Marsh & McLennan Agency 7

CYBER & DATA SECURITY RISK SURVEY REPORT Take NO measures to ensure vendors ability Analyze ALL vendors to make whole financial strength Require ALL vendors to have proper insurance Have contracts in place with ALL vendors Have a corporate recovery plan in place Respondents with cyber liability insurance Respondents without cyber liability insurance 23.4% 15.6% 35.4% 10.4% 67.7% 48.0% 6.4% 18.0% 4.4% 26.6% ALL RESPONDENTS 39.9% 9.5% 23.7% 6.4% 40.0% Additionally, employers with cyber liability policies are more likely to put efforts into ensuring their business vendors can make them whole in the event of a damaging data breach. For example, employers with cyber liability insurance are: More than twice as likely to evaluate the financial strength of all or some vendors than respondents overall. 144% more likely to evaluate the financial strength of all vendors than those without cyber insurance. 97% more likely to ensure vendors have accurate and adequate insurance in place than respondents without cyber insurance coverage. More than 40% less likely to do nothing to ensure their protection than respondents overall. Less than half as likely to do nothing than those without cyber policies. Being prepared to weather a cyber breach is important to all employers, but small and midsized ones are the most likely to be forced out of business due to the fallout from such an event. Insurance is just the beginning. Reputational damage is perhaps the most simply understood. Existing customers, potential customers, and business partners and vendors will rethink their willingness to do business with an employer that experiences a disastrous breach. Mending those relationships, if even possible, is costly. Keeping and finding new employees can prove to be substantially more difficult and hence, costly as well. As data breaches continue making headlines, the Court of Public Opinion will likely view negatively those employers who leave themselves open to and unprepared to handle these increasinglycommon events. MORE INFORMATION Additional insight into the survey data will be released over the coming months. Sign up to have it emailed to you at www.rjfagencies.com/cybersurveynotices, or request to be added to the list by emailing Jeff Mulfinger at mulfingerj@rjfagencies.com. You can get information specific to your organization by contacting your Marsh & McLennan Agency representative or Dan Hanson at hansond@rjfagencies.com or +1 763 548 5899. More information is online at www.rjfagencies.com/cyberliability. 8 Marsh & McLennan Agency

NOVEMBER 2014 NOTES Marsh & McLennan Agency 9

For further information, please contact your local Marsh & McLennan Agency office or visit www.rjfagencies.com/cyberliability. DAN HANSON Director, Management Liability Group +1 763 548 8599 hansond@rjfagencies.com For informational purposes only. Copyright 2013 Marsh & McLennan Agency LLC. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information