2015 & 2016 Cyber & Data Security Risk Survey Report

For Small and Midsize Employers

June 8, 2016

Small and midsize employers still appear to be vulnerable to the risks of cyber-crime and data breaches. And organizations are still not doing enough to protect their data or recover from a breach. But there is good news and a strong indication that these organizations are making efforts.

41% of organizations said they have implemented data security insurance coverage, compared to only 33% in 2014.

Those results come from our Annual Cyber & Data Security Risk Survey (the 2015/2016 survey is our third). Our intent was to help small and midsize employers better understand how they compare to their peers around the country in the areas of cyber exposure, adoption of risk management techniques, and their overall understanding of the risk they face.

As with last year, the bottom line could best be described as underestimating risk and overestimating security. And that’s a serious problem, as organizations of all sizes are responsible for protecting valuable information – their own, data from business partners or employees, and, arguably, most importantly, data from clients and customers.

The ultimate lesson, however, to be gleaned from this data is that organizations that view cyber and data security as a fundamental organizational issue – and, therefore, discuss it regularly at the executive level – are positioned far better to weather a cyber or data incident. Specifically, these organizations have more risk management protocols in place and are more prepared to respond to an incident if – and when – one occurs.

Doesn't Cyber Crime Always Happen to Someone Else?
Cyber-crime is on the rise, yet small and midsized firms in the United States haven’t seen protecting themselves against a cyber threat – or planning for the result of experiencing one – as a significant priority.

If an organization is very, very lucky, it might never experience any form of data breach or other cyber security problem. But the odds are not in their favor. In fact, in 2015, 50% of all small to midsize companies reported being the target of a cyberattack. But there’s an even more important – and frightening – fact:

60% of all cyber-attacks last year struck small to mediumsized businesses.

Small to midsized businesses are the most vulnerable, and even one successful attack can shut a company down completely given the enormous costs associated with recovery. Ironically, organizations that participated in the Marsh & McLennan Agency survey believed they were reasonably well protected against cyber-attacks and data breaches.

All respondents’ average self-ranking of their data security: 3.18 out of 5 (scale of 1 to 5, with 1 being not protected at all)

When asked how protected the IT manager (or person responsible for computer systems) would say the organization was from attacks and breaches, that number was even higher.

What do these numbers mean for your security?

  • 1.6
  • 55.2
  • 42.9

According to our survey, only 1.6% of the respondents said they thought their organization’s data security was “bomb proof” (although it’s technically impossible to achieve 100% security, it is what an organization should strive to achieve). 55.2% said they did NOT have a corporate recovery plan in place to help guide them in case of the loss of confidential, personally identifiable information. And fully 42.9% said their organization did NOT have the expertise to develop any kind of data security plan.

Even though a growing number of organizations have now added cyber risk insurance, there are still a lot of unprotected small and midsize companies that could be doing a lot more to safeguard themselves with even a little effort.

Data security is something we don't talk about, but we face data risk everyday, but we face data risk everyday.

In order to run a successful business, most small to midsize organizations are performing functions that can invite cyber-crime if security procedures are not put in place:

Yes, despite the apparent and immediate hazards, data security and risk management are seldom discussed at the executive level of the organizations we surveyed:

  • 54.4% - Seldom discuss
  • 10.2% - Never discuss

However, those organizations that regularly talk about data security at the C-level are twice as likely to have a recovery program in place in the event of a data security breach. What happens if a service provider either loses or otherwise compromises any confidential data or personally identifiable information for which these organizations are responsible? How does an organization ensure they would recover damages?

Here again, those organizations that discuss cyber-security are much more likely to have taken action to ensure recovery than those that do not. For example:

Percentage of respondents that ensure that attorney-reviewed contracts are in place with all third-party service providers that include compensation guarantees for losses.

  • Those that report talking regularly or frequently about cyber security 21.32%
  • Those that seldom or never talk about cyber security 6.05%

Percentage of respondents that analyze the financial strength of all third-party providers, ensuring their ability to compensate.

  • Those that report talking about security regularly or frequently 24.26%
  • Those that do not talk about security regularly or frequently 9.68%

Percentage of respondents that required all vendors to have proper and adequate insurance in place.

  • Those that report talking about security regularly or frequently 46.32%
  • Those that do not talk about security regularly or frequently 27.82%

Percentage of respondents that report taking NO measures to ensure their ability to recover damages if an outsourced business service provide lost or compromised their data.

  • Those that report talking about security regularly or frequently 20.59%
  • Those that do not talk about security regularly or frequently 44.76%

How Secure are Your Third Party Partners?
Risk increases when organizations outsource functions that give access to sensitive data. The majority of the firms we surveyed have outsourced a significant amount of potentially sensitive work to third partners. 51% had four or more providers and 36% had three or more.

Your company can be as secure as possible, but if your business partners and vendors lack proper cyber security, you can be vulnerable to attacks and liable for the fallout. Outsourcing these services does not protect your organization – no matter how great your provider’s insurance may be.

How Secure are your Employers?
Social engineering is a growing problem in many organizations; “spear phishing” is one example of this type of fraud. Cyber criminals make contact with employees, gain their trust – often by simply offering an innocent looking link in an email – and then use whatever access they are granted to roam freely through a company’s data, including client and customer data.

The good news? One-third of the employers in our survey had implemented some form of employee education during the past year and 52% had done so within the past three years.

However, employers that are engaged in IT security discussions are more likely to have internal security measures in place. In fact, 70% of employers that discuss cyber security at the executive level regularly or often have implemented employee education in the past three years to guard against cyber-attacks compared to 42% of  organizations that seldom or never discuss the issue.

Which risk management techniques have been implemented or conducted within the past 12 months?
In most cases, less than one-third of the respondents had employed any of the individual risk management techniques quoted in the survey (employee education being the exception). But most concerning was that more than 13% of the respondents had done absolutely nothing to manage this risk.

Which of the following loss mitigation techniques have been implemented or conducted within the past 3 years?
Here again, few respondents had established programs for mitigating loss due to a data breach. And 4 out of 10 of them had no loss mitigation capability at all.

Which of the following loss mitigation techniques have been implemented or conducted within the past 3 years?
Here again, few respondents had established programs for mitigating loss due to a data breach. And 4 out of 10 of them had no loss mitigation capability at all.

As you can see, the numbers illustrate a clear positive correlation. Continued discussion about cyber security and mitigating loss at the highest levels appears to lead organizations to take a far more active role in implementing policies and programs. Beginning those conversations at the c-suite level in an organization is easy to implement and, as we’ve seen from the survey, shows powerful, positive results.

Why don't organizations have a recovery plan in place?
Earlier we said that 55.2% of the organizations we surveyed did NOT have a corporate recovery plan in place to help guide them in case of the loss of confidential, personally identifiable information.

  • 34.6%

believe the threat isn’t severe enough to warrant the investment of time and resources.

  • 42.9%

don’t have the right expertise in place to develop a plan.

Yet every one of these organizations amasses and stores data – from social security numbers to credit card information – that hackers can sell for substantial profit.

What role does insurance play in managing cyber risk?
We asked organizations whether or not they see insurance as a significant part of their cyber risk management plan:

  • 59.2%

More than half of respondents had no cyber liability, network security liability, or confidential information liability insurance policy in place.

  • 77.0%

Of those without cyber liability insurance, more than three-quarters had never gotten a quote for cyber liability insurance.

The reasons? They ranged from an inability to afford the additional cost of insurance (12.4%) to not believing the benefits justified the cost (28.0%) to lack of understanding of the coverage (34.8%).

  • 13.6%

believed (incorrectly, which was typical) that another policy covered data security and

  • 10.4%

stated that internal disagreements on need for such a policy kept them from investing in one.

But, interestingly, only 7.2% said that their IT security and controls were tight enough to not require coverage.

While the majority remains uninsured, the number of those with policies has risen every year we’ve done this survey. This may be because smaller and midsize employers are learning that strong cyber liability insurance products go beyond simply providing insurance.

So which industries, according to our survey, are taking advantage of cyber liability policies and what they can help deliver?

The cost of action versus inaction?
Any organization is vulnerable to a cyber-attack. But small and midsized firms – the ones we surveyed – are especially at risk. They simply don’t have pockets deep enough to sustain the fallout from a data breach.

Corporate reputations can be severely damaged by a cyber-attack. Current customers and clients as well as prospects, vendors, and other business partners will be understandably hesitant to do business with a company that is weathering an attack.Even employee retention and acquisition can be deeply affected.

Yet, according to the survey, nearly 40% have not yet talked with any insurance broker or agency about cyber liability, network security liability, or confidential information liability insurance.

Now is the time to start a conversation.

Everything we’ve learned since we began this survey points to the clear benefits of starting and maintaining regular discussions at the highest levels of any small to midsize organization regarding protection against the eventuality of a cyber-attack or data security incident – as well as the ability to recover should one occur.

To get further information specific to your organization, contact your Marsh & McLennan Agency representative or Dan Hanson at dan.hanson@marshmma.com.