Dylan Bryant, IPZ regional head of customer, distribution and marketing, Asia-Pacific, Zurich Insurance explores cyber risks and the potential exposures ffacing firms
Awareness of cyber risk has been growing steadily in recent years. With increased media coverage following some high-profile data breaches, regulators imposing or considering cyber legislation have all converged to bring this emerging risk to the forefront of risk managers’ minds. Cyber security professionals continue to warn of the growing exposure of information systems. Cyber risks, it can be argued, represent an important risk for all types of organisations.
Now that cyber risk is discussed at the board and executive-management level, the full range of exposures need to be considered. Cyber risks include risks associated with such things as intellectual property infringement, stolen or lost data, cloud computing, violation of privacy laws, social media, mobile devices and bring-your-own devices. According to several recent surveys, organisations are adopting various strategies to address these risks. Increasingly we are seeing organisations adopting an enterprise-wide, or at least a multi-departmental, approach to cyber-liability risk management. With the small but growing insurance solutions available in the market, there are increasing options for risk managers to address the potential costs associated with a loss as a key element of the organisation’s cyber risk management strategy.
Currently IT departments continue to lead the way when it comes to data security and privacy initiatives in most organisations. However, risk managers are beginning to play a more significant role in the development of a response strategy and in the discussion on transferring that risk. A 2012 survey conducted by Advisen in the US found that: “The percentage of organisations where risk management/insurance led the data security risk management programme increased slightly to about 15%, as compared with about 13% in 2011.” Another key finding from the survey was that in nearly 80% of organisations with multi-departmental data security and privacy teams, the risk management/insurance department is represented on the team.
A key area that will become increasingly important for organisations in Asia will be around the evolving data-breach reporting requirements. Currently, most countries in the region now require the reporting of such incidents. The key decision for the board will be where the risk management for cyber liability will sit; will it be the IT department or the risk-management department?