A recent report showed a slight increase from 10% to 26% of companies with cyber insurance coverage between 2013 and 2014, and stated that most US companies are deficient in “keeping the data breach response plan up-to-date, conducting risk assessments of areas vulnerable to a breach, continuous monitoring of information systems to detect unusual and anomalous traffic and investing in technologies that enable timely detections of a security breach.” In September 2014 the Ponemon Institute LLC issued a report entitled “Is Your Company Ready for a Big Data Breach?” which was sponsored by Experian Data Breach Resolution and stated that cyber insurance policies and incident response (IR) awareness are becoming more important:
In 2013, only 10 percent of respondents said their company purchased a policy. This year, the percentage more than doubled to 26 percent. Further, the use of standard or model contract terms with third parties, vendors or business partners increased. In 2013, 65 percent of respondents said their organizations had these in place and this year it increased to 70 percent of respondents.
Here are topics reported by Ponemon about cyber problems and IR planning:
More companies have data breach response plans and teams in place. In 2013, 61 percent of companies had such a plan in place. This increased to 73 percent in this year’s study. More companies have teams to lead data breach response efforts. In the 2013 study, 67 percent of respondents said they had a data breach response team. This increased to 72 percent.
Data breaches have increased in frequency. In 2013, 33 percent of respondents said their company had a data breach. This year, the percentage has increased to 43 percent. Sixty percent say their company experienced more than one data breach in the past two years. This increased from 52 percent of respondents in 2013.
Most companies have privacy and data protection awareness programs. Ponemon Institute research has revealed that mistakes made by employees are a frequent cause of data breach. While we believe all companies should have such a program, it is a good sign that the existence of training programs increased. In this year’s study, 54 percent say they have privacy and data protection awareness training for employees and other stakeholders who have access to sensitive personal information. This increased from 44 percent in 2013.
There was very little change in the training of customer service personnel. When companies lose customer data, very often it is customer service that must field questions from concerned customers. In 2013, 30 percent of respondents said they provided training on how to respond to questions about a data breach incident. This increased slightly to 34 percent of respondents in 2014.
Informationworld Darkreading also reported:
Nearly three-fourths of US Fortune 500 companies now have set up incident response plans and teams in preparation for cyberattacks, but only one-third of them consider their IR operations actually effective in the face of a data breach, according to a new study.
Hopefully more companies will understand their risk and do a better job to protect with cyber insurance and IR