A new report says that while cyber liability insurance has proven effective in covering many cyber-related losses, the majority of small breaches often fall below cyber insurance policy deductibles that trigger coverage, leaving organizations to manage and pay for all breach response.
A new report claims that while cyber liability insurance has proven effective in covering many cyber-related losses, the majority of small breaches often fall below cyber insurance policy deductibles that trigger coverage, leaving organizations to manage and pay for all breach response.
According to the Advisen Ltd. report Mitigating the Inevitable: How Organizations Manage Data Breach Exposures, sponsored by ID Experts®, the majority of breaches are small and may go undetected for a long time. When they are detected, most organizations lack the internal resources to handle breach response, putting them at greater risk for costly fines and lawsuits, reputational harm, and customer identity theft. It's no wonder then, that 80 percent of organizations are concerned about the consequences of a large breach and the impact it will have on their business. While 64 percent of those surveyed have cyber insurance, most small breaches aren't covered, leaving organizations struggling with managing gaps in cyber insurance coverage.
"The report indicates that there is a lot of concern about data breach impact and uncertainty about data breach response best practices. Most organizations are not prepared to manage the high-risk, high-threat landscape in which we do business," said Jeremy Henley, director of breach services at ID Experts. "Sixty percent of respondents rely solely on the IT department to manage data breach response. However, best practice is a cross-functional team with a combination of specialties to handle a data breach to fully protect the organization and meet privacy and regulatory compliance."
"Why do breaches go undetected? Many organizations do not have the qualified resources, processes, or systems in place," saidAloysius Tan, product manager at Advisen. "For organizations who lack the resources, full-service breach response vendors can help. Respondents are most interested in help with forensics, protection services, pre-breach services, and call centers."
Key findings of the report include:
- All organizations are at risk for data breach and most are not prepared. If they collect or store sensitive data, organizations of all sizes and in all industries are exposed and are at risk for data breach. Organizations that proactively prepare for and manage data breach risk will significantly reduce breach impact. However, the report finds that organizations are not prepared for data breaches, due to inadequate resources.
- Most organizations are concerned about the consequences of a data breach. The majority of breaches are small, under 500 records, and may go undetected for a long time. Eighty percent of organizations are concerned about the consequences of a large data breach and the impact it will have on their business. More than half, or 55 percent of respondents, don't believe their company has adequate resources to detect breaches, so many breaches may go undiscovered. Seventy-five percent of respondents have developed an incident response plan, but only 42 percent have tested the plan. Seventy-two percent of respondents said they conduct a cybersecurity and privacy risk assessment at least annually. However, they may not have a consistent process in place for effective assessment, resulting in errors or inconsistencies.
- Most organizations aren't prepared to manage data breach response. The report found that while many organizations are taking key steps to prevent and detect data breaches, many are not prepared for or lack the resources to manage data breach response, including the legal and regulatory requirements. The majority of organizations use internal resources to manage small but high-frequency breaches. In fact, 60 percent of respondents rely solely on the IT department to manage data breach response. However, IT on its own is generally not equipped to handle data breach compliance and regulatory requirements.