Surveys Reveal Executive Concerns over Cyber Security Risk

Two surveys have revealed concerns at executive level in companies both in Europe and around the world on the cyber security threat.

The Federation of European Risk Management Associations (FERMA) reports that many companies still do not devote sufficient attention to cyber risks, despite an increase in frequency, scope, and sophistication as well as harsher penalties for lack of regulatory compliance and loss of sensitive data. This finding follows research conducted by FERMA in partnership with Harvard Business Review (HBR) Analytic Services, corporate insurer Zurich and the public sector risk management organisation PRIMO.

FERMA board member Julia Graham who led FERMA’s participation in the project said: “Too often I have seen well embedded principles and practices associated with risk management and risk financing discarded when the subjects of information security and specifically cyber security are considered.” More than three-quarters (76%) of survey respondents said that information security and privacy had become more significant areas of concern in the past three years. A majority also indicated that board involvement is growing in their organisation.

“They must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance,” the final report from HBR and Zurich concludes.

“Information security is a classic enterprise risk,” commented Graham. “It is not solely a subject for the domain of the chief information officer (CIO) or the chief information security officer.”  

In any case, only 16% of companies covered in the survey have designated a chief information security officer to oversee cyber risk and privacy, and only 49%  said they have a strategy for communication to the general public in case of a cyber-risk incident.

Just 19% of respondents have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy issues, and only 44% said their company’s budget for these risks has grown.

A separate report by KPMG, of 1,800 audit committee members across 21 countries worldwide, finds that high

level directors at numerous corporations are concerned about the quality of information they receive about cyber security threats.

The findings from KPMG’s Audit Committee Institute should be of interest to corporate treasurers, if they look after the risk function at their firm, traditional information security officers in the IT department, or anyone else interested in educating the boardroom about cyber security threats and the risks that flow from it.

It clear from the findings that audit committee members, including external senior non-executives, do not think that they are currently receiving about information about online and social media threats and the risk mitigation programmes designed to stop them, with only 26% of the 1800 respondents saying that were “satisfied”. This compares to satisfaction levels of over 70% on legal and regulatory compliance issues. A desire for a broader range of skills on audit committees including IT, treasury or risk expertise, is also evident from the report, says KPMG.

As the report’s author, Malcolm Marshall, a partner in KPMG’s risk consulting practice, said the survey shows, “there are too many examples of complacency and defending an organisation cannot be left to IT, alone.”

Nearly half of the survey respondents globally (45%) said their company’s risk management programme generally, including cyber security, required “substantial work”.

Meanwhile, anti-bribery laws have become a significant area of attention with over three quarters of the audit committee members questioned in the UK saying that they have increased their focus on the issue. Recent high profile cases involving defence contractors and banks no doubt have something to do with this change in outlook.

“The findings confirm our experience that the level of information that boards’ receive on cyber security is patchy,” added Marshall. “Defending businesses against the threat needs leadership from the top and audit committees should play a key role in this.  The results show that they have an appetite to get more actively involved.”


Related reading