3 Concerns Emerge From Risk Preparedness Report
Given the evolving security landscape, and the increasing frequency and severity of cyberattacks, many organizations overestimate their cyberpreparedness. As a result, their trusted advisors remain rightfully worried about a range of risks.
In a new survey sponsored by Experian Data Breach Resolution, Advisen surveyed 307 risk managers, insurance brokers and legal experts to better understand what cyber threats had them most concerned. Topping the risk list for 2017: Ransomware (holding the network hostage for extortion), transfer of funds to unauthorized recipient due to phishing or social engineering, and breach of personal or financial information due to phishing or social engineering.
Findings from “The 2017 Cyberrisk Preparedness and Response Survey” showed that while organizations and their support teams generally align on top security threats, they do not agree on businesses’ ability to effectively avoid and respond to these threats.
“The gap in confidence between internal risk professionals and third-party risk experts is concerning,” the survey said.
Experian Data Breach Resolution Vice President Michael Bruemmer pointed out, “Three industries, finance, banking and insurance, are clearly in the crosshairs.” He said there was consistency between insurance brokers (74%) and legal experts (54%), indicating that these three industries are most at risk for cyber incidents.
Employee negligence is of particular concern in the area of breaches. “This heightened concern reinforces the importance of employee education,” the survey revealed.
When it comes to personal or financial information, 80% of legal experts and 68% of insurance brokers were strongly or extremely concerned about a breach of due to phishing or social engineering, while only 61% of risk managers shared the same concern.
Three overriding concerns emerged:
- Companies overestimate their cyber preparedness. While more than 72% of risk managers rated their network protection as above average, most data brokers and legal experts rated their clients as average or below average (67% and 52%, respectively). Both legal experts and brokers (54% and 61%, respectively) stated their clients do not have the knowledge required to work with vendors and the government to navigate cyber-risks.
- Cybersecurity remains a challenge for small businesses, many of which fall in the credit union wheelhouse. Seventy-five percent of brokers and legal experts noted that their small business clients are either “not prepared at all” or “not very well prepared” to respond to a cybersecurity incident.
- Employee negligence is a concern across the board. All three groups of respondents recognize the need to continue to educate employees, rating it as the top area of cyber incident prevention that companies should prioritize (brokers, 35.6%; legal, 41.6%; risk managers, 31.6%).
“The good news is there was some consistency about the client’s ability to work with their vendors and the appropriate government authorities to navigate cyberrisk,” Bruemmer suggested.
Bruemmer explained the annualized cost of cybercrime in financial services, obtained from 2016 Ponemon research, was about $16.5 million. When it comes to cybersecurity spending, financial services is at or near the top with health care.
While legal experts and insurance brokers generally agreed, there appears to be a discrepancy in the perceived performance of cyberrisk practices. Risk managers consistently rated their company’s performance of cyberattack prevention practices higher than the external risk experts rated their clients’ performance.
Reputational costs worry businesses and external risk experts alike. There is a clear concern among risk experts that companies are not communicating appropriately following an incident. This goes beyond public relations to how organizations are connecting with all affected parties, particularly consumers.
Time and again companies mishandle their response to high-profile cyber incidents resulting in customer churn and a diminished ability to meet anticipated revenues. The financial harm from a damaged reputation and loss of consumer confidence has the potential to exceed other cyberrelated first- or third-party financial losses.
Bruemmer noted preparedness – meaning they had a plan, practiced the plan and were ready to go – goes a long way. The cost of responding to a breach is 25% less because organizations had a plan.