2017 RIMS CYBER SURVEY

Transcription

1 2017 RIMS CYBER SURVEY

2 This report marks the third year that RIMS has surveyed its membership about cyber risks and transfer practices. This is, of course, a topic that only continues to captivate the business world s attention year after year. Based on our 2017 results, organizations are buying more cyber insurance and spending more on cyber risk best practices. On the heels of WannaCry and other ransomware outbreaks, respondents chose cyber extortion as one of the leading first-party exposures their organizations face (72%). Business interruption as a result of network outage is still the leading first-party exposure, according to 80% of respondents. On the cyber insurance front, there might be the beginning of a plateau in 2017 s data. Businesses are still relying on insurance to address the growing number of cyber risks: when asked if they transfer cyber exposure to a third party, 72% of respondents said yes. That is up, but not by much, from 2016 s result of 69%. The utilization of stand-alone cyber insurance policies is mostly static with 2016: of those who have cyber coverage, 83% do it with stand-alone products. In 2016, it was 80%. The rate of increase for stand-alone policies might be slowing because other forms of insurance coverage are picking up the slack. Of those who are insured but do not have stand-alone policies, 84% say that other purchased insurance policies include cyber liability coverage (up from 76% last year). In short, we might be seeing something resembling maturity from the cyber insurance market. Those who want to buy cyber coverage have bought it, and specialty stand-alone cyber coverage is nearing saturation. In 2018, any trends along these lines will be more discernable. When it comes to government regulations, options are still divided. The percentage of respondents who think the government should mandate the reporting of cyber breaches was flat compared to Only 34% think that government should mandate cyber security standards. Information Sharing and Analysis Organizations are faring better this year, however. About a quarter of respondents say their organizations belong to one of these voluntary reporting groups created by US law in In 2016, it was 20%. METHODOLOGY This year s survey had 288 respondents; 2016 had 272. Demographics such as industry sector, organization revenue and number of employees held close to 2016 results. In 2017 the number of financial services respondents dropped nearly four percentage points, while government and manufacturing respondents were up about four percentage points each. The survey was distributed to RIMS membership via an internet link, and was in field between May 18 and June 25, Percentages shown are rounded up or down to the nearest whole number. If you have additional questions about data collection, please contact RIMS at content@rims.org. As the preeminent organization dedicated to educating, engaging and advocating for the global risk community, RIMS, the risk management society, is a not-for-profit organization representing more than 3,500 corporate, industrial, service, nonprofit, charitable and government entities throughout the world. RIMS has a membership of approximately 11,000 risk practitioners who are located in more than 60 countries. For more information about the Society s world-leading risk management content, networking, professional development and certification opportunities, visit PUBLICATIONS EDITOR Morgan O Rourke ANALYSIS Brandon Righi RIMS hopes you find the full survey results informative. If you have additional questions about the information you find here, please contact content@rims.org. 1

3 SURVEY AT A GLANCE» LESS THAN HALF think that» About a THIRD think» 24% belong to Information the government should the government should Sharing and Analysis mandate the reporting of cyber breaches. mandate cyber security standards for companies. Organizations (ISAOs), compared to 20% in % 58% % 69% % 72% Percentage identifying cyber extortion as a first-party exposure Percentage transferring cyber risk to third parties 44% 26% 48%...of those purchasing cyber insurance have a limit in the $5m to $20m range....say they will spend more than $1m to protect against cyber security exposures in report they are spending more than last year to protect against cyber security exposures. 2

4 RESULTS 1) Please identify your organization s potential first-party cyber exposures. Business interruption and extra expense as a result of network outage Business interruption and extra expenses for loss of data 72% 80% Cyber extortion 72% (s9% from 2016) Theft of trade secrets or IP 42% Reputational harm Regulator investigations, fines, penalties Cost related to notification, response, etc. 52% 75% 79% 2) Please identify your organization s potential third-party cyber exposures. Disclosure of personal indentifiable information (employees or customers) 88% Media liability 43% Business interruption 61% Economic harm to customers as the result of a network outage Regulator investigations, fines, penalties 46% 51% Cost related to notification, response, etc 73% 3

5 3) Does your organization transfer the risk of cyber exposure to a third party? 72% (69% in 2016) 23% 5% 4) Is your organization considering a purchase of cyber coverage within the next months? 61% 16% 23% 5) If your organization is not interested in cyber coverage, please explain why. SOME COMMENTS FROM RESPONDENTS: Organization has pushed back due to low risk and controls in place. Coverage is inadequate for our industry. Our potential loss is extremely low except for a black swan which is so large you can t effectively cover it in the current market. 6) Does your company have a stand-alone cyber insurance policy? 83% (80% in 2016) 17% 4

6 7) Is your organization s cyber liability coverage included in other purchased insurance policies? 84% (s8% from 2016) 13% 3% 8) Does your organization purchase cyber insurance as a result of contractual obligations? 17% 82% 1% 9) Please select a range of limit purchased. Less than $5 million 20% $5 million $20 million 44% $20 million $50 million 14% $50 million $100million 13% $100 million $200 million 6% More than $200 million 2% 5

7 10) What premium are you paying for your cyber coverage? Less than $50,000 29% $50,000 $75,000 14% $75,000 $100,000 7% $100,000 $200,000 16% $200,000 $500,000 15% More than $500,000 19% 11) Which of the following is included in your cyber insurance policy? Professional liability 47% Network/business interruption 87% Cyber extortion 88% Fines and penalties 70% Breach notification costs 88% Reputational harm 41% Theft of trade secrets 34% Data recovery 76% 6

8 12) Does your organization s cyber insurance coverage extend to data stored in cloud servers? 57% 9% 34% 13) Are you considering purchasing cyber coverage for data stored in cloud servers in the next months? 42% 24% 34% 14) Does your organization have a response plan in place in the event of a cyber crisis? 83% 7% 10% 7

9 15) Who is involved in that response procedure? (Please check all that apply) Public relations 67% Information technology 93% Legal 82% Risk management 83% Information security 76% Compliance 42% Privacy officer 40% 16) Has your organization identified cyber risk using any of the following methods or tools? Enterprise Risk Management (ERM) 42% Strategic Risk Management (SRM) 20% NIST cybersecurity framework 33% Software 32% Consultants 49% 24% 8

10 17) Which of the following has primary responsibility for cyber security within your organization? Risk management 5% Information security 42% Information technology 51% Privacy 1% Compliance 1% 18) Which individual within your company has primary accountability for cyber security? Risk manager 6% Chief information security officer 82% Chief risk officer 4% Chief privacy officer 3% Chief compliance officer 3% Attorney 2% 9

11 19) Which of the following methods does your company use to evaluate cyber security? In-house committee 58% Third party vendor 59% Risk assessments 75% Audit 51% 20) How much will your company spend to protect cyber security exposures in 2017? Less than $100,000 25% $100,000 $250,000 25% $250,000 $500,000 12% $500,000 $750,000 7% $750,000 $1,000,000 6% More than $1,000,000 26% 21) How does this amount compare to 2016? Increase compared to % Decrease compared to % Flat compared to % 19% 10

12 22) What will be your top cyber risk spending categories in 2017? (Please check all that apply) Employee education 50% Incident response 23% Scanning tools 52% Smart phone encryption software 13% Active monitoring and analysis of information security 71% Cyber insurance 52% Unauthorized use of access monitoring tools 28% Other 9% 23) Which aspect of cyber risk is most relevant to your company? Privacy issues 20% Loss of business 5% Reputational issues 27% Business interruption 24% Legal liability, fines, and penalties 13% Information security requirements 11% Other 1% 11

13 24) Do you think the federal government should mandate the reporting of cyber breaches? (U.S. repondents only) 47% 25% 28% SOME COMMENTS FROM RESPONDENTS: Only for publicly traded companies or organizations that are in industries critical to infrastructure. Even if reporting occurs, the government is not in any position to do anything about it. It s the only way to get people to disclose that they ve been breached. There must be significant fines for failing to do this. Only if the states back off their reporting requirements. 25) Do you think the federal government should mandate cyber security standards for companies? (U.S. repondents only) 34% 46% 19% SOME COMMENTS FROM RESPONDENTS: Only in certain sensitive industries like banking, healthcare, etc. I think there should be guidelines for companies that hold personal information such as credit cards, financial and medical information. Let the free market take care of companies that don t maintain a certain level of security. 12

14 26) Does your organization belong to an information sharing and analysis organization (or ISAO, as created by the Cybersecurity Information Sharing Act of 2015)? (U.S. respondents only) 24% 38% 38% DEMOGRAPHICS 1) Please identify your organization s industry. Other 19% Retail 4% Hospitality 3% Healthcare 5% Financial Services 10% Transportation 5% Industrial 0% Professional Services 4% Utilities 6% Manufacturing 15% Energy 4% Education 7% Government or n-profit 14% Information Technology 3% Telecommunications 1% 13

15 2) What is your organization s estimated annual revenue? US $0 $1 million 1% $1 million $10 million 1% $10 million $50 million 6% $50 million $100 million 5% $100 million $500 million 19% More than $1 billion 54% $500 million $1 billion 14% 3) How many total employees are in your organization? More than 25,000 16% % % % 15,000 25,000 9% 500 1,000 9% 10,000 15,000 6% 5,000 10,000 14% 1,000 5,000 32% 14

16 4) Does your company have international operations? (operations in more than one country) 54% 46% 5) What is your primary country of residence? Denmark 1% United Kingdom 1% Other 4% Canada 16% United States 80% 15