IT departments still dominate cyber risk management

While a majority of firms are purchasing cyber insurance, risk management departments run a distant second behind information technology departments in being primarily responsible for spearheading companies’ information security risk management efforts, says a survey of risk managers by Zurich Insurance Group Ltd. and Advisen Ltd. released Tuesday.

This year’s fifth annual Information Security and Cyber Liability Risk Management report is based on a survey of 488 risk managers, insurance buyers and other risk professionals.

According to the report, 61% of respondents said they purchased cyber insurance last year; of these, 73% purchased it on a stand-alone basis, 12% purchased it by endorsement, and 14% purchased both. A total of 30% said they have increased the amount of coverage, 36% said they are considering doing so, and 34% said “no” to both.

Of those who do not purchase cyber insurance, the most common response, at 20%, was, “My superiors do not see the need.”

A total of 68% of respondents said the IT department was primarily responsible for spearheading the information security risk management effort, which compared with 69% in the 2014 survey, and 78% in the 2013 survey. Risk management and insurance came in at 12%, compared with 11% in 2014. Others cited as primarily responsible included chief privacy officer, general counsel’s office, treasury or chief executive officer’s office, internal audit and human resources.

Among other survey results, 72% of respondents said they have a data breach response plan in place in the event of a data breach. A total of 43% said they have exposure to the Internet of Things, 13% said they did not, and 44% said they did not know.