Data loss worries execs, but 49% “don’t know” if they have a plan

By Erin Ayers on April 14, 2015

cyberlock200x200-150x150Exposing personally identifiable information ranks as corporate executives’ top cyber-related concern, according to 63 percent of respondents to a recent survey conducted by Mayer Brown. Executives reported far less concern over losing trade secrets – less than 10 percent of respondents listed it as a top consideration.

Worries over personal information and more activity on data breaches in Congress were reflected by the 84 percent of respondents who said they expect national standards for breach notification to be enacted in the next five years.

“Given the number of breaches that have occurred in recent years, it makes sense to instead have a clear set of standards, not just for notification but for information security as well,” said Mayer Brown, a global legal services provider.

Nearly half (54 percent) of respondents also indicated that they expect national standards for securing information – 36 percent feel that the existing cybersecurity framework developed by the National Institute of Standards and Technology (NIST) has helped, but 47 percent aren’t sure, and 17 percent said it has not helped.

However, in a survey for corporate executives aimed at gauging the level of importance of cyber risks, what respondents do not know may be the most significant information. One concerning response in the survey indicated that while 27 percent of respondents said they carry a separate cyber insurance policy for liability and seven percent for remediation costs, another 33 percent of corporate executives said they did not know whether they carried a separate policy. Another 28 percent said they did not carry a policy, but planned to buy one in the future. Four percent said they had “no interest” in cyber insurance. And when a cyber event occurs, only seven percent say their first call is to their insurer and 28 percent call their lawyers first.

When asked whether they had a solid data protection in place, 30 percent said they did, and used an outside consultant, and 30 percent said they used NIST, ISO, or PCI standards to develop a plan. A few of those respondents weren’t too sure about their data protection, though, since another 49 percent said they didn’t know whether they had a plan in place (more than one answer to the survey could be selected).

Interruption of business operations came in second on the executives’ list of concerns with 24 percent, the survey found. Illustrating the prevalence of cyber-related problems, 63 percent of respondents say they consider these issues to be “just one more cost of doing business,” but they do feel that cyber problems can be overcome. More than half (57 percent) say that the threat of litigation only modestly affects their cybersecurity strategies.

And for some respondents, a pessimistic outlook prevailed, with 29 percent saying they feel cybercriminals will continue to have the upper hand over existing legislative protections and enforcement options.

In terms of legislative protections, survey respondents feel that some immunity from liability is necessary to encourage sharing of threat data with the government.

“Without meaningful liability protection, companies will be hesitant to participate because any act or omission made by a participant based upon cyber threat information received by that entity could subject it to liability,” stated Mayer Brown in its report. “This concern may also explain why only 23 percent of respondents said that their company had built a close working relationship with either a government enforcement agency (FBI, US Secret Service) or a prosecutorial agency (DOJ or state attorneys general) on cyber issues. An equivalent percentage (23 percent) reported working closely with industry regulatory (FTC, FCC, FDIC, CFPB). Over 40 percent said ‘no, they have no such relationship,’ while approximately 24 percent did not know.”

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].