NOVEMBER 2014 CYBER & DATA SECURITY RISK SURVEY CONTENT: 2 KEY FINDINGS 3 PREVALENCE OF CYBER LIABILITY INSURANCE POLICIES 4 MOST EMPLOYERS FACE SUBSTANTIAL CYBER RISK 7 KNOWLEDGE AND PERCEPTION MATTER 7 THOSE WITH CYBER LIABILITY POLICIES TAKE PREVENTIVE MEASURES MORE SERIOUSLY
CYBER & DATA SECURITY RISK SURVEY REPORT 2014 CYBER & DATA SECURITY RISK SURVEY Marsh & McLennan Agency (MMA) recently completed a survey of 582 companies across the United States, asking about their perceptions of and exposures to cyber risk. The respondents were from small and midsize companies in a variety of industries. While headlines tend to focus on very large, household-name organizations, small and midsize employers can be more vulnerable to cyber-crime and unable to recover given the average cost of more than $200 per compromised record 1. This is the second such survey done by MMA, with a goal of helping small and midsize employers understand how they compare to others in regards to their cyber exposures and overall understanding of their risk. The first study was done in early 2013, was smaller (167 respondents), and was focused largely in Minnesota, with 82% of respondents based in the state. 582 small and midsize employers across the U.S. took part in the survey: Average/Median Revenue = $32.4M/$5M Average/Median Employees = 1648/ Employers with cyber liability insurance in place are more knowledgeable of the coverage, more aware of their own risks, and have greater protective measures in place than those without coverage. KEY FINDINGS Despite numerous major data breaches gaining substantial press in the recent past (Target, Home Depot, Goldman Sachs, etc.), most respondents remain relatively unaware of the cyber and data risks facing their own organizations or consider these risks to be inconsequential. Respondents overall do not consider themselves well-informed of this type of coverage. The prevalence of cyber liability policies among small and midsize employers is increasing, though two-thirds still do not have this kind of protection. Last year, only 16% reported having a cyber liability policy in place compared to 33% this year. While this is good news, employers seem to be at high risk, given the number of risks they face and their levels of preparedness for dealing with the aftermath or preventing a breach. Interestingly, respondents who have in place cyber liability insurance policies not only consider themselves more cognizant of the cyber-risks facing their organization, but also report having better measures in place to proactively reduce their risk of data breach. Not surprisingly, they also have greater exposures than respondents overall. In short, they are more cyber risk-aware than are those without such policies. 1 Ponemon Institute, 2014 Cost of Data Breach Study: United States. 2 Marsh & McLennan Agency
NOVEMBER 2014 PREVALENCE OF CYBER LIABILITY INSURANCE POLICIES As mentioned above, 33% of respondents reported having a cyber liability policy in place, which is a substantial increase over last year s survey. This coincides with respondents reporting an average need for coverage of 2.86 on a five-point scale, based on their admitted low level of understanding of the coverage (2.66 out of 5) and over zealous estimation of their own security (3.06 out of 5). This survey shows that employers are, in fact, facing substantial risk, and are arguably underestimating their risk and overestimating their levels of security. DO YOU HAVE CYBER LIABILITY INSURANCE? No (67%) Yes (33%) INDUSTRY DIFFERENCES There are notable industry differences when it comes to having cyber insurance. On the high end of the spectrum, 88% of respondents in the financial services industry have a policy in place while less than 17% of those in construction do so. Not surprisingly, the industries more likely than the 33% overall average likelihood (in this survey) to have a cyber policy include (from most likely to least): Financial Services Health Care Public Administration/Government/Schools Technology Nonprofit Hospitality Those industries less likely than the 33% overall average likelihood to have a cyber policy include (from most likely to least): Retail Other Professional Services Wholesale Trade Manufacturing Percent (%) 80 60 40 20 0 88 Financial Services EMPLOYERS WITH CYBER LIABILITY INSURANCE BY INDUSTRY 53 50 50 42 Health Care Public Administration/School Districts Technology Nonprofit Hospitality 38 31 30 29 26 Other Retail Other Professional Services Wholesale Trade 20 20 17 17 0 Manufacturing Transportation Construction Real Estate Agriculture Transportation Construction Marsh & McLennan Agency 3
CYBER & DATA SECURITY RISK SURVEY REPORT Real Estate Agriculture Retail in the less-likely group is a bit of a surprise because retail is typically considered to be an industry with relatively high cyber liability insurance adoption. It should be remembered, however, that this survey is of small and midsize employers. The retailers in this survey these had a median employee count of. CLAIMS It is interesting to note that 5.2% of those with policies have made a claim, a high number. Those who ve made claims have fewer median employees and lower median revenues than the overall group of respondents, and none reported being unsatisfied with how the insurance performed. CLAIMS BY INDUSTRY are substantially greater (89.9% and 64.7% respectively) than those without policies (average = $28.0 million, median = $4.3 million). Also, their median employee count (350) is more than three and a half times that of those without policies (81). Interestingly, though, the average number of employees is lower for those with policies (1556) than those without (1749). EMPLOYERS WITH CYBER LIABILITY INSURANCE POLICIES BY SIZE Median # EEs Avg. # EEs Median Revenue Avg. Revenue Employers with Cyber 350 1556 $7.0 M $53.2 M Liability Insurance Employers without Cyber 81 1749 $4.3 M $28.0 M Liability Insurance ALL EMPLOYERS 1648 $5.0 M $32.4 M 10% 10% 10% 10% 20% 40% Manufacturing Technology Other Professional Services Transportation Nonprofit Health Care MOST EMPLOYERS FACE SUBSTANTIAL CYBER RISK More than 80% of respondents face five or more cyber risks (as defined in this survey), with more than half exposed to seven or more, and more than a third exposed to eight or more. These numbers are slightly higher than last year s survey. While not meant to be an exhaustive list, the risks included in the survey were: Processing credit card transactions. Those that have made a claim break out by industry as follows: Health Care 40% Nonprofit 20% Transportation 10% Other Professional Services 10% Technology 10% Manufacturing 10% SIZE DIFFERENCES Employers with cyber policies tend to be larger by most measures. Their average ($53.2 million) and median ($7.0 million) revenues Holding past or present employee records. Processing/accessing banking information. Respondents 120 80 60 40 20 0 14 One CYBER RISK EXPOSURES PER EMPLOYER 21 Two 31 Three 43 Four 71 Five 91 Six Seven Number of Risk Exposures 108 Eight 62 Nine 29 Ten 4 Marsh & McLennan Agency
NOVEMBER 2014 Having one of more computers connected to the Internet. Having a Web site that collects personal or confidential information from visitors. Holding client or customer information. Holding supplier information. Using the Cloud. Holding information subject to HIPAA. Having employees who use laptops and/or PDAs linked to the employer s network. Many of these are commonplace in today s work environments, and are often considered standard business operations. Each presents risk to an organization, and the more an employer is exposed to, the greater exposure they face. RISK FROM VENDORS & BUSINESS PARTNERS New in this year s survey, employers were asked about their outsourcing practices of business functions that are likely to involve personally identifiable, HIPAA, or other types of information they have and that ought to be protected. They were also asked about any due diligence procedures they follow to ensure their ability to recover damages if one of these service providers suffered a damaging breach. The results are not encouraging. Survey participants were asked whether they outsource the following functions: Credit Card Processing Reservations Insurance Claims Handling/Management Auditing (financial, IT, inventory, etc.) Payroll Billing Employee Benefits Administration IT Accounting or Tax Services Percent of Respondents (%) Percent of Respondents (%) 80 60 40 20 0 60 50 40 30 20 10 0 95 Computer(s) connected to the Internet 58 Accounting or Tax Services 85 Process/access banking information 57 Payroll COMMON CYBER EXPOSURES 75 Hold client or customer information 73 70 Hold past or present employee records Employees use laptops and/or PDAs linked to our network 91 Hold supplier information 58 57 Process credit card transactions 108 45 Hold information subject to HIPAA OUTSOURCED BUSINESS FUNCTIONS 49 Credit Card Processing 46 Auditing (financial, IT, inventory, etc.) 44 43 Employee Benefits Administration IT 38 Insurance Claims Handling/Management 18 Human Resource Functions 108 10 Billing 62 42 Use the Cloud 8 Reservations 26 Web site collects personal or confidential information 2 Other Marsh & McLennan Agency 5
CYBER & DATA SECURITY RISK SURVEY REPORT Human Resource Functions Other Outsourcing is a common practice for small and midsize businesses. Payroll and accounting or tax services are each outsourced by more than 57% of respondents. Credit card processing, auditing, benefits administration and IT services are each outsourced by four out of ten respondents. Two-thirds of respondents reported outsourcing three or more of these, and 34.9% report using providers for five or more functions. Unfortunately, nearly four in ten (39.9%) employers do nothing to ensure their ability to be made whole and collect damages if one of their vendors were to lose or have information compromised for which they were responsible. This number doesn t improve much as the prevalence of providers increases 37% of those using five or more providers still do nothing to ensure their protection, a drop of only three percentage points. Additionally, just fewer than 24% ensure all vendors have accurate and adequate insurance in place. On the bright side, employers are more likely to take protective measures as their number of providers increases. Compared to the norm, employers that outsource five or more of the listed business functions are: 25% more likely to analyze the financial strength of ALL providers. 76% more likely to analyze the financial strength of SOME providers. 71% more likely to have attorney-reviewed contracts in place with SOME providers. 67% more likely to require SOME vendors to have adequate and accurate insurance. While these increases are definitely positive, the overall percentages remain relatively low in each category. Percent of Respondents (%) 40 35 30 25 20 15 10 5 0 PROVIDER/VENDOR DUE DILIGENCE = all respondents = respondents w/ 5+ outsourced vendors 6.4 5.9 Attorney-reviewed contracts are in place with ALL 16.8 9.8 9.5 Attorney-reviewed contracts are in place with SOME 11.8 The financial strength of ALL these providers is analyzed 21.2 12.0 Financial strength of SOME of these providers is analyzed 24.1 23.7 ALL these vendors are required to have proper and adequate insurance in place 20.7 12.4 SOME of these vendors are required to have proper and adequate insurance in place 2.6 3.0 Verbal agreements with ALL these providers 7.9 3.6 Verbal agreements with SOME of these providers 39.9 37.0 We have NOT taken measures to ensure this 3.5 6.2 Other If disaster does strike, 60% of these employers do not have a corporate recovery plan in place. That number dips slightly, to 55%, when looking at just those employers with five or more listed service providers. KNOWLEDGE & PERCEPTION MATTER Cyber risk and cyber security still isn t reliably making it into the executive-level discussions of small and midsize organizations. Nearly one in six (15.3%) never discuss the topic in the c-suite, and an additional 54.1% only discuss it at this level once or twice a year. This leaves less than a third (30.6%) who discuss it quarterly or more often. 25% 5% FREQUENCY OF C-SUITE DISCUSSIONS 15% 54% Often (more than monthly) Regularly (monthly or quarterly) Seldom (semi-annually or annually) Never 6 Marsh & McLennan Agency
NOVEMBER 2014 FREQUENCY OF C-LEVEL CYBER DISCUSSIONS Take NO measures to ensure vendors ability to make whole Analyze ALL vendors financial strength Require ALL vendors to have proper insurance Have contracts in place with ALL vendors Have a corporate recovery plan in place Regularly or Often 19.8% 19.8% 39.0% 11.6% 64.5% Seldom or Never 48.5% 4.9% 18.0% 3.9% 29.0% ALL RESPONDENTS 39.9% 9.5% 23.7% 6.4% 40.0% But when executives have this topic on their radar and discuss it regularly or often at the top levels of their organization, there are numerous correlations apparent in the survey. There are stark differences between those who report seldom or never discussing at the executive level their IT security issues and those who discuss it regularly or often. To illustrate, consider: Nearly half (48.5%) of those who report seldom or never discussing these issues at an executive level take no measures to ensure their outsourced business providers ability to make them whole if the business provider loses or compromises data for which they are responsible, compared to less than 20% of those who discuss these issues regularly or often do nothing. Those who discuss these issues regularly or often are two- to four-times as likely to ensure all vendors have proper insurance in place, have attorney-drafted contracts in place with all providers and analyze the financial strength of every business service provider. Those who discuss this regularly or often are more than twice as likely to have a corporate recovery plan in place. Respondents admitting they don t understand cyber liability insurance coverage are less likely to have measures in place to protect themselves. This lack of understanding is the dominant reason for not purchasing the insurance. Nearly half (48.7%) cite it as a reason, and when combined with those who assume incorrectly that the coverage is included in another policy, the number jumps to 60.8%. Examples of how this lack of understanding correlates with other areas include: 56.3% of those who admit not understanding the coverage have taken no measures to ensure their outsourced business partners ability to compensate them in the events of a breach, compared to 39.9% overall. Only 22.6% of these respondents report having a corporate recovery plan in place, compared to 40% overall. And, interestingly yet not surprisingly, these people are also less likely to discuss cyber security at the executive level. Nearly a quarter (23.1%) of them never discuss cyber security issues at all at that level of their organization, compared to 15.3% overall. THOSE WITH CYBER LIABILITY POLICIES TAKE PREVENTIVE MEASURES MORE SERIOUSLY The survey data suggest that once employers commit to investing in cyber liability insurance policies, they are more likely to understand the potential fallout and take measures to minimize the likelihood of a breach. They are also more likely to take measures to help recover from a damaging breach. Employers with cyber liability insurance policies in place are more likely to have initiated efforts to prevent the likelihood of a breach and additional non-insurance efforts to ensure their ability to recover from a harmful cyber breach. Most striking, perhaps, is the fact that more than two-thirds (67.7%) have a corporate recovery plan in place, which is a 69% better than survey respondents overall, and 155% better than those without policies. CORPORATE RECOVERY PLAN IN PLACE 27% No Yes 32% 73% 68% Without cyber liability insurance With cyber liability insurance Marsh & McLennan Agency 7
CYBER & DATA SECURITY RISK SURVEY REPORT Take NO measures to ensure vendors ability Analyze ALL vendors to make whole financial strength Require ALL vendors to have proper insurance Have contracts in place with ALL vendors Have a corporate recovery plan in place Respondents with cyber liability insurance Respondents without cyber liability insurance 23.4% 15.6% 35.4% 10.4% 67.7% 48.0% 6.4% 18.0% 4.4% 26.6% ALL RESPONDENTS 39.9% 9.5% 23.7% 6.4% 40.0% Additionally, employers with cyber liability policies are more likely to put efforts into ensuring their business vendors can make them whole in the event of a damaging data breach. For example, employers with cyber liability insurance are: More than twice as likely to evaluate the financial strength of all or some vendors than respondents overall. 144% more likely to evaluate the financial strength of all vendors than those without cyber insurance. 97% more likely to ensure vendors have accurate and adequate insurance in place than respondents without cyber insurance coverage. More than 40% less likely to do nothing to ensure their protection than respondents overall. Less than half as likely to do nothing than those without cyber policies. Being prepared to weather a cyber breach is important to all employers, but small and midsized ones are the most likely to be forced out of business due to the fallout from such an event. Insurance is just the beginning. Reputational damage is perhaps the most simply understood. Existing customers, potential customers, and business partners and vendors will rethink their willingness to do business with an employer that experiences a disastrous breach. Mending those relationships, if even possible, is costly. Keeping and finding new employees can prove to be substantially more difficult and hence, costly as well. As data breaches continue making headlines, the Court of Public Opinion will likely view negatively those employers who leave themselves open to and unprepared to handle these increasinglycommon events. MORE INFORMATION Additional insight into the survey data will be released over the coming months. Sign up to have it emailed to you at www.rjfagencies.com/cybersurveynotices, or request to be added to the list by emailing Jeff Mulfinger at mulfingerj@rjfagencies.com. You can get information specific to your organization by contacting your Marsh & McLennan Agency representative or Dan Hanson at hansond@rjfagencies.com or +1 763 548 5899. More information is online at www.rjfagencies.com/cyberliability. 8 Marsh & McLennan Agency
NOVEMBER 2014 NOTES Marsh & McLennan Agency 9
For further information, please contact your local Marsh & McLennan Agency office or visit www.rjfagencies.com/cyberliability. DAN HANSON Director, Management Liability Group +1 763 548 8599 hansond@rjfagencies.com For informational purposes only. Copyright 2013 Marsh & McLennan Agency LLC. All rights reserved.