Many companies aren’t devoting enough attention to cyber risks, despite harsher penalties for lack of regulatory compliance and loss of sensitive data.
The findings come from research conducted by Harvard Business Review Analytic Services (HBR), Zurich and the public sector risk management organisation PRIMO, in association with the Federation of European Risk Management Associations (FERMA).
Julia Graham, a FERMA board member, said: “Too often I have seen well embedded principles and practices associated with risk management and risk financing discarded when the subjects of information security and specifically cyber security are considered.”
Graham explained that information security is a classic enterprise risk and should not be a subject solely for the domain of the chief information officer or the chief information security officer.
Research revealed that only 16 percent of companies covered in the survey have designated a chief information security officer to oversee cyber risk and privacy, and less than half (49 percent) agree they have a strategy for communication to the general public in case of a cyber risk incident.
Only 19 percent of respondents have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy issues, and only 44 percent said their company’s budget for these risks had grown.
“[Companies] must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance,” said the final report from HBR and Zurich.