Despite Growing Corporate Awareness of Data Breach Risk, Risk Planning Lags

Advisen has released report titled, “A New Era in Information Security and Cyber Liability Risk Management: A Survey on Enterprise-wide Cyber Risk Management Practices,” which summarizes the results of a survey of over 500 risk management professionals. More than 60 percent of the survey participants work for companies with annual revenues exceeding $1 Billion a year while the remainder work for smaller companies.

The survey results suggest that businesses are recognizing the seriousness of the risks posed by potential compromise of data security. The vast majority of respondents stated that their organization views information security as at least a moderate threat and more than two-thirds of respondents stated that information security risks are a specific risk management focus within their organizations. Most organizations have some form of multi-departmental information security and cyber risk team or committee, and more than two thirds of respondents said their organizations have a disaster response plan in place in the event of a major breach.

Despite widespread recognition of data breach risk, risk contingency planning may still be inadequate. For 41 percent of respondents, the IT department is responsible for complying with state data breach notification laws following a breach. The IT department often may be ill-equipped to satisfy the inconsistent notification requirements of the 46 different states that have enacted breach notification laws and the independent obligations that may arise under federal laws, such as HIPAA-HiTech and Gramm-Leach-Bliley, or under industry self-regulation, such as the CPI rules. The recent adoption of breach notification rules in various jurisdictions around the globe further complicates data breach response. Furthermore, the majority of the organizations represented by this survey have not acquired cyber insurance as a tool for managing the risks associated with data breach. This statistic may change as companies consider the SEC’s recent recommendation that companies disclose in their SEC filings both: 1) the particular data security risks that their organization faces; and 2) the insurance they have in place to address that risk.