Many companies still do not devote sufficient attention to cyber risks, despite an increase in frequency, scope, and sophistication – and harsher penalties for lack of regulatory compliance and loss of sensitive data. This finding comes from research conducted in association with the Federation of European Risk Management Associations (FERMA) by Harvard Business Review Analytic Services, corporate insurer Zurich and the public sector risk management organisation PRIMO.

FERMA board member Julia Graham who led FERMA’s participation in the project said: “Too often I have seen well embedded principles and practices associated with risk management and risk financing discarded when the subjects of information security and specifically cyber security are considered.”     More than three-quarters (76%) of survey respondents said that information security and privacy had become more significant areas of concern in the past three years. A majority also indicated that board involvement is growing in their organisation.

“They must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance,” the final report from HBR and Zurich concludes.

“Information security is a classic enterprise risk,” commented Julia Graham. “It is not solely a subject for the domain of the chief information officer or the chief information security officer.”

In any case, only 16% of companies covered in the survey have designated a chief information security officer to oversee cyber risk and privacy, and less than half (49%) agree they have a strategy for communication to the general public in case of a cyber risk incident.

Just 19% of respondents have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy issues, and only 44% said their company’s budget for these risks has grown.

The sheer number of ways in which data can be lost, stolen, or misappropriated illustrates the prevalence of the threat. Respondents highlighted the following threats to the information security and confidentiality:

  1. malware and other viruses
  2. administrative errors
  3. incidents caused by data providers
  4. malicious employee activity
  5. attacks on web applications
  6. theft or loss of mobile devices
  7. internal hackers

Regulation and compliance concerns appear to be driving much of organisations’ planning around cyber risk. Survey respondents most frequently placed business income loss and the cost of restoring crucial proprietary electronic information among their top five concerns. The next three concerns all related to legal liability:

  • Legal defence and settlement costs from third party claims
  • Costs of regulatory settlements
  • Costs of defending regulatory investigations.

FERMA is highlighting the issue with a session at its 2013 Risk Management Forum in Maastricht starting on 29 September.

Access the full report at ‘Meeting the Cyber Risk Challenge

This analysis reflects the results of a Harvard Business Review Analytic Services web-based survey conducted with 152 respondents involved in risk management for their organisation. Virtually all respondents were based in Europe. Data was collected July-September 2012.

For more information, contact

Press contacts:

Lee Coppack

FERMA media coordinator or +44 (0)20 8318 0330 or +44 (0)7843 089904


Florence Bindelle

FERMA executive manager or +32 (2) 761 94 31