One in four executives say their insurance will ‘sufficiently indemnify’ against cyber security losses

Fifteen per cent of executives responding to a recent survey do not know whether their company’s insurance will “sufficiently indemnify” them against losses resulting from computer security incidents, while fewer than two thirds have a formal incident response plan.

Network security vendor Arbor Networks Inc. of Burlington, Mass. released Tuesday the results of a survey on cyber security that it sponsored. The survey, of 360 senior business leaders, was conducted in November 2013 by the Economist Intelligence Unit.

When presented with the statement, “my company’s insurance will sufficiently indemnify us against any losses resulting from an incident,” 25% of respondents said they agree or strongly agree, 27% neither agreed nor disagreed, 15% of respondents did not know, 22% “somewhat” disagreed and 12% strongly disagreed.

When asked whether their firms have a formal incident response plan, 61% said yes, 24% said no but they are “in the process of doing so,” 14% said no while 1% did not know.

More than a third (36%) of respondents were president, CEOs or managing directors while 7% were chief information officers or technology directors.

In the survey, the executives were also asked whether they made arrangements with certain types of organizations as part of their incident response preparations.

Sixteen percent of respondents said they had made arrangements, beyond a cyber insurance premium, with an insurance provider.

“In recognition of the heightened risk, a growing number of companies are taking out insurance policies to cover specifically against cyber-related incidents,” wrote Clint Witchalls, senior editor of the Economist Intelligence Unit in a report, titled Cyber incident response: Are business leaders ready? That report, sponsored by Arbor Networks, was based both on the survey results and on interviews.

“As is to be expected, interest in privacy cover is strong among industries dealing with a lot of personal data, such as retail, healthcare, financial services and education,” according to the report. “The costs of losing personal data are readily quantifiable by reference to regulatory fines. There is also the likelihood of litigation.”

Forty per cent of respondents said they had made arrangements with IT forensic experts or other specialist IT providers as part of their incident response plans or preparations. One in four said they made arrangements with  specialist legal advisors.

They were also asked in which areas they were “least confident” about they company’s ability to respond to an incident. Of eight areas, respondents were asked to select two. Nearly half (49%) were least confident about their company’s ability to “accurately predict potential business impact,” such as potential legal liability. More than one in eight (13%) were least confident in their company’s ability to “disclose the incident to the relevant regulatory body within applicable time limits.”

The respondents were also given a list of categories of incidents and asked whether they had experienced any over the past 12 months. While 29% reported they had not experienced any of the incidents, 29% experienced accidental major disruption to systems, 27% reported loss of sensitive data by employees, 24% reported malicious major disruption to systems, 18% reported theft of sensitive data by employees, 11% reported theft of intellectual property by employees, 10% reported theft of sensitive data by external actors and 7% reported theft of intellectual property by external actors.

Five per cent of respondents were based in Canada and 26% based in the United States. A total of 19 industries are represented in the survey. Financial services, manufacturing, information technology and professional services are each represented by at least 10% of respondents. Nearly half of the companies in the sample (48%) have annual revenue of more than US$500 million.