How Organizations Manage Data Breach Exposures
-
Upload
nguyentuyen -
Category
Documents
-
view
217 -
download
0
Transcript of How Organizations Manage Data Breach Exposures
March 2016
MITIGATING THE INEVITABLE: HOW ORGANIZATIONS MANAGE
DATA BREACH EXPOSURES
Sponsored by
3 EXECUTIVE SUMMARY
3 KEY FINDINGS
4 EVERYONE IS AT RISK
5 ASSESSMENT OF RISK
7 DATA BREACH RESPONSE – INSURANCE
10 DATA BREACH RESPONSE – VENDOR SERVICES
11 ABOUT THE SURVEY RESPONDENTS
12 APPENDIX
T A B L E of C O N T E N T S
3 March 2016 | www.advisenltd.com
EXECUTIVE SUMMARYEvery organization—in every industry and of every size—that collects and stores sensitive data is exposed to cybercrime
and is at risk for data breach. Highly publicized data breaches in both the private and public sectors continue to occur in
large number and with great regularity, and show no signs of slowing down. Many more unreported data breaches that
never make it to the media occur on a daily basis. Opportunistic criminals have become adept at identifying the most
vulnerable targets and are continuously evolving in order to stay a step ahead of defenses.
The reality is that most organizations have already experienced a data breach whether or not they know it. The majority
of breaches are, in fact, small, and may go undetected for a long time. Regardless of industry or size, companies
increasingly realize that a breach of sensitive data is detrimental to their financial health. “We are highly concerned
about our financial exposure, both in fines and penalties, third party claims, and reputational harm,” said a risk
manager responding to the survey.
More and more organizations rely on cyber liability insurance to help mitigate this risk. But while cyber liability
insurance has proven effective in covering certain cyber-related losses, other types of losses may be excluded under
the policy. Additionally, many breaches fall beneath the minimum number of records required to trigger coverage.
It was with this in mind that Advisen and ID Experts collaborated on a survey to gain insight into how businesses
are preparing for and responding to data breach threats. The purpose of this study is to better understand how
organizations are assessing their breach risks, what actions they are taking to prevent breaches and how they are
managing their cyber insurance coverage gaps. The study also explores how organizations respond to data breaches
and whether organizations are, or should be, engaging with third party vendors to manage breach response efforts
while minimizing reputational, regulatory, and litigation risks.
KEY FINDINGS• 80 percent of all surveyed organizations are concerned about the consequences of a large public data breach.
• 17 percent of respondents have experienced a data breach that they are aware of over the previous 12 months.
• The vast majority of the data breaches experienced are small consisting of a loss of fewer than 500 records.
• The median data breach is 100 records.
• Only 45 percent of respondents believe their company has adequate resources to detect all breaches.
• 75 percent of respondents have developed an incident response plan but only 42 percent have tested the plan.
• 60 percent of respondents said that the information technology (IT) department is responsible for managing the
data breach response.
• 64 percent purchase cyber insurance.
• The vast majority of breaches fall below the cyber insurance policy deductible.
• Most organizations use internal resources to manage small breaches.
• 51 percent have selected data breach response vendors.
• 75 percent prefer to receive all cybersecurity risk services from a single vendor.
4 March 2016 | www.advisenltd.com
EVERYONE IS AT RISKOrganizations that hold sensitive data, regardless of their size, face
data breach risks. In fact, most businesses, insurers, and cybersecurity
professionals now accept that the question is no longer if a data breach
occurs, but rather a matter of when and how bad will it be.
A large public breach can bring a tremendous amount of unwanted
attention. As a result, it is no surprise that the vast majority of risk
professionals surveyed (80 percent) worry about the consequence of such
an occurrence. They express a range of concerns that are largely centered
around the financial impact the breach will have on their business.
“Public perception and reputation damage alone would negatively impact business,” explained one respondent. “Our
biggest concern is the financial exposure both in fines and penalties as well as third party claims and reputation harm,”
another said. “It could impact business, which is our livelihood,” stated another.
Hacker methods are continuously evolving allowing them to identify new vulnerabilities and penetrate even the most
well-fortified websites and networks. Simultaneously, the ability to execute cyberattacks has become easier as
hacking toolkits and contract hackers are readily available for purchase, rent, or hire on the Internet.
While it now is a near certainty that a company will at some point experience a data breach, what is not certain is the
impact the breach will have on their business. It is widely accepted that organizations that proactively prepare for and
manage data breach risk will significantly reduce the impact.
Businesses must ask themselves if they are adequately prepared to identify and respond to this now nearly inevitable data
breach occurrence. On the surface, the data suggests that many are. Sixty-seven percent of the survey’s respondents
claimed to not have experienced a data breach in the previous 12 months, with another 17 percent saying they
experienced only one or two breaches over that period (Exhibit 1). However, less than half (45 percent) of the respondents
believe their organization has adequate resources to detect data breaches so many breaches may go undiscovered.
EXHIBIT 1:
BUSINESSES MUST ASK
THEMSELVES IF THEY ARE
ADEQUATELY PREPARED TO
IDENTIFY AND RESPOND TO THIS
NOW NEARLY INEVITABLE DATA
BREACH OCCURRENCE. ON THE
SURFACE, THE DATA SUGGESTS
THAT MANY ARE.
An werOption
Re pon ePer ent
Re pon e Count
0 67.5% 1121 - 2 16.9% 283 - 5 8.4% 1410 or more 6.6% 115 - 7 0.6% 17 - 9 0.0% 0
16637kipped que tion
an wered que tion
Mo t organization have experien ed a lo ofen itive data in a small brea h and in mana e multiple large brea he . How man data
Data Brea h Preparedne Surve
67%
17%
8% 7%
1% 0%
0
1 - 2
3 - 5
10 or more
5 - 7
7 - 9
MOST ORGANIZATIONS HAVE EXPERIENCED A LOSS OF
SENSITIVE DATA IN A SMALL BREACH AND IN MANY CASES
MULTIPLE LARGE BREACHES. HOW MANY DATA BREACHES HAS
YOUR ORGANIZATION EXPERIENCED IN THE LAST 12 MONTHS?
5 March 2016 | www.advisenltd.com
The unfortunate reality, however, is that many are likely experiencing breaches that have yet to be discovered. The
reason for this may not be for lack of desire or for lack of trying, but rather because they simply do not have the
qualified resources, processes or systems. Respondents were asked if they believe their organization has adequate
resources to detect all data breaches. Forty-five percent said yes but the remaining 55 percent either said no or that
they did not know (Exhibit 2).
EXHIBIT 2:
ASSESSMENT OF RISKRisk professionals agree that having a clear understanding of exposures and vulnerabilities
and developing a data breach incident response plan around those vulnerabilities is key to
minimizing the potential for loss. A poorly managed response significantly increases the risk
for costly fines, lawsuits, reputational harm, and customer identity theft.
Seventy-two percent of respondents said that they conduct a cybersecurity and privacy
risk assessment at least annually (Exhibit 3).1 Most said that they actively update their
privacy and security policies, training, and internal resources.2 And the majority (75
percent) has also developed an incident response plan (Exhibit 4).3
1 Appendix: Exhibit 1 – “How do you assess your cybersecurity risk?”
2 Appendix: Exhibit 2 – “Do you actively update the following?”
3 Appendix: Exhibit 3 – “Do you have a data breach incident response team?”
LESS THAN HALF
(45 PERCENT) OF
RESPONDENTS BELIEVE
THEIR ORGANIZATION
HAS ADEQUATE
RESOURCES TO DETECT
DATA BREACHES SO
MANY BREACHES MAY GO
UNDISCOVERED.
DO YOU BELIEVE YOUR ORGANIZATION HAS ADEQUATE
RESOURCES TO DETECT ALL DATA BREACHES?
An wer Option
Re pon e Per ent
Re pon e Count
Yes 44.6% 74Don't Know 28.3% 47No 27.1% 45
16637kipped que tion
Do you believe your organization ha adequate re our e to dete t all data brea he ?
an wered que tion
Data Brea h Preparedne Surve
45%
28%
27%
An wer Option
Re pon e Per ent
Re pon e Count
Yes 44.6% 74Don't Know 28.3% 47No 27.1% 45
16637kipped que tion
Do you believe your organization ha adequate re our e to dete t all data brea he ?
an wered que tion
Data Brea h Preparedne Surve
Yes
Don't Know
No
6 March 2016 | www.advisenltd.com
EXHIBIT 3:
EXHIBIT 4:
Interestingly, however, while most organizations proactively develop and update their plans for effective data breach
response, many do not test the effectiveness of the plan. Respondents who said that they have developed a data
breach response plan were asked whether the plan has been tested. Forty-two percent said yes but a nearly equal 41
percent said no or that they did not know (Exhibit 5).
Re pon e Per ent
Re pon e Count
4.6% 712.6% 198.6% 13
12.6% 1937.7% 574.6% 7
19.2% 298
15152
an wered que tion
Never
Other
Data Brea h Preparedne Surve
Quarterly
If you have never done a risk assessment, why not?
An wer Option
Annually
kipped que tion
Monthly
Don't Know
How often do you do a c ber se urit and priva risk a e ment?
Bi-Annually
0% 5% 10% 15% 20% 25% 30% 35% 40%
Never
Monthly
Quarterly
Bi-Annually
Annually
Other
Don't Know
An wer Option
Re pon e Per ent
Re pon e Count
Yes 75.3% 110Don't know 13.7% 20No 11.0% 16
14657kipped que tion
Do you have a data brea h in ident re pon e plan?
an wered que tion
Data Brea h Preparedne Surve
75%
14%
11%
An wer Option
Re pon e Per ent
Re pon e Count
Yes 75.3% 110Don't know 13.7% 20No 11.0% 16
14657kipped que tion
Do you have a data brea h in ident re pon e plan?
an wered que tion
Data Brea h Preparedne Surve
Yes
Don't know
No
HOW OFTEN DO YOU DO A CYBER SECURITY AND PRIVACY RISK ASSESSMENT?
DO YOU HAVE A DATA BREACH INCIDENT RESPONSE PLAN?
7 March 2016 | www.advisenltd.com
EXHIBIT 5:
This leads to the question, why would organizations make the effort to
develop a data breach response plan but not make the effort to test the
plan’s effectiveness? Could it be that the incident response plan is being
tested but there is disconnect or lack of communication between the risk
management and technology departments? According to the data this could
certainly be a possibility since most organizations (60 percent) continue to
lean on the IT department for managing the data breach response.4
This, however, leads to yet another question about the structure of the
plan and the participants of the data breach response team. Cybersecurity
experts recommend that a breach response team consist of a cross-section of internal personnel as well as
external members. Data breach response teams often include executive management, legal, privacy/compliance,
IT, information security, risk management, and other stakeholders from the company’s various business units.
External members often include privacy counsel, computer forensics and breach response specialists, and a crisis
management firm.
Another and more likely scenario is that most organizations are simply ill prepared to manage data breach risks due to
inadequate resources.
DATA BREACH RESPONSE – IS CYBER INSURANCE ENOUGH?The survey respondents who experienced at least one data breach over the previous twelve months were asked the
average size (# of records lost) of the breaches. Of the responses provided, the average was 2,200 records, however,
ACCORDING TO THE DATA
THIS COULD CERTAINLY BE
A POSSIBILITY SINCE MOST
ORGANIZATIONS (60 PERCENT)
CONTINUE TO LEAN ON THE IT
DEPARTMENT FOR MANAGING
THE DATA BREACH RESPONSE.
An wer Option
Re pon e Per ent
Re pon e Count
Yes 42.4% 61Don't know 22.9% 33No 18.1% 26N/A 16.7% 24
14459
If you do have a data brea h in ident re pon e plan, ha it been te ted?
kipped que tion
Data Brea h Preparedne Surve
an wered que tion
0% 10% 20% 30% 40% 50%
Yes
Don't know
No
N/A
IF YOU DO HAVE A DATA BREACH INCIDENT RESPONSE PLAN, HAS IT BEEN TESTED?
4 Appendix: Exhibit 4 – “What role within your organization is responsible for managing the data breach response?”
8 March 2016 | www.advisenltd.com
the vast majority were small consisting of fewer than 500 records. The median was 100. Responding to small breaches
can sometimes create challenges for organizations, including those that have cyber insurance (64 percent) because
they fall beneath the minimum threshold required to trigger coverage5.
In fact, of the respondents who purchase cyber insurance and have identified a data breach in the previous twelve months,
nearly all fell below their deductibles (Exhibit 6)6. While cyber coverage is increasingly viewed as an essential part of
many corporate insurance programs, it is designed to protect against low frequency but high severity occurrences.
EXHIBIT 6:
The vast majority of respondents said that they use internal resources to manage these small but high frequency
claims that fall below their deductible (Exhibit 7). In fact, as noted previously, 60 percent of respondents said it is the
IT department’s responsibility to manage the breach response. While IT certainly has a role to play, a sole reliance on
IT can expose organizations to financial loss as breaches often require privacy and regulatory compliance. For this
reason, cybersecurity experts suggest that while IT needs to be involved responding to a data breach is not something
it should own solely.
5 Appendix: Exhibit 5 – “Do you purchase cyber liability insurance?”
6 Appendix: Exhibit 6 – “How much is your deductible?”
An wer Option
Re pon e Per ent
Re pon e CountI haven't had a data 59.3% 48
91 - 100% 25.9% 21Don't know 7.4% 6Less than 10%
3.7% 3
41 - 50% 2.5% 271 - 80% 1.2% 110 - 20% 0.0% 021 - 30% 0.0% 031 - 40% 0.0% 051 - 60% 0.0% 0
61 - 70% 0.0% 0
81 - 90% 0.0% 081
122kipped que tion
Data Brea h Preparedne Surve
an wered que tion
In the la t 12 month what per entage of your data brea he fell below your dedu tible?
59% 26%
7%
4% 3% 1%
your deductible? I haven't had a data breach in the last 12 months 91 - 100%
Don't know
Less than 10%
41 - 50%
71 - 80%
10 - 20%
21 - 30%
31 - 40%
51 - 60%
61 - 70%
WHILE IT CERTAINLY HAS A ROLE TO PLAY, A SOLE RELIANCE ON IT CAN EXPOSE ORGANIZATIONS
TO FINANCIAL LOSS AS BREACHES OFTEN REQUIRE PRIVACY AND REGULATORY COMPLIANCE.
FOR THIS REASON, CYBERSECURITY EXPERTS SUGGEST THAT WHILE IT NEEDS TO BE INVOLVED
RESPONDING TO A DATA BREACH IS NOT SOMETHING IT SHOULD OWN SOLELY.
IN THE LAST 12 MONTHS WHAT PERCENTAGE OF YOUR DATA
BREACHES FELL BELOW YOUR DEDUCTIBLE?
9 March 2016 | www.advisenltd.com
EXHIBIT 7:
Cyber insurance is a relatively new coverage and the number of claims filed is comparatively few compared with
more mature lines of business.7 But in reality, even if a data breach is large enough to trigger coverage under a cyber
insurance policy, organizations will still often be required to assume some of the financial burden. For example, the
cost of the breach could have exceeded the amount of coverage purchased, or the losses could have fallen under one
of the policies exclusions such as intellectual property, infrastructure, and/or reputational loss (Exhibit 8).
EXHIBIT 8:
In addition to loss indemnification, cyber policies also provide access to a variety of tools and services such as risk
assessment tools, data breach incident response plans, and educational resources, to help manage cyber security
risks. Seventy percent of respondents said that their policy offers free tools to help manage their cybersecurity risks.
Forty-four percent of the respondents said they have used them (Exhibit 9).
An wer Option
Re pon e Per ent
Re pon e CountUse internal resources to 73.1% 57Contract with a data 14.1% 3Other (please specify) 9.0% 11Rely upon outside legal 3.8% 7
78125
How do you manage small brea he that fall below your dedu tible?
kipped que tion
Data Brea h Preparedne Surve
an wered que tion
0% 10% 20% 30% 40% 50% 60% 70% 80%
Use internal resources to manage
Contract with a data breach vendor
Other (please specify)
Rely upon outside legal counsel
An wer Option
Re pon e Per ent
Re pon e Count
Yes 53.8% 42Don't know 26.9% 15No 19.2% 21
78125kipped que tion
Do you believe your limit are adequate for a large data brea h?
an wered que tion
Data Brea h Preparedne Surve
54%
27%
19%
Yes
Don't know
No
7 Appendix: Exhibit 7 – “Have you ever had to file a claim under your cyber policy?”
HOW DO YOU MANAGE SMALL BREACHES THAT FALL BELOW YOUR DEDUCTIBLE?
DO YOU BELIEVE YOUR LIMITS ARE ADEQUATE FOR A LARGE DATA BREACH?
10 March 2016 | www.advisenltd.com
EXHIBIT 9:
DATA BREACH RESPONSE – VENDOR SERVICESTo cost effectively manage coverage gaps, many organizations who lack the resources and/or knowledge in-house, can
benefit from the expertise provided by a full-service vendor equipped to manage a large breach response effort while
minimizing reputational, regulatory, and litigation risks. Respondents were asked whether they have selected data breach
response vendors. Fifty-one percent said yes but a nearly equal 49 percent said no or that they did not know.8
Respondents who had selected data breach response vendors were then asked how they made the selection. Fifty-
nine percent chose their own vendors while the remaining 41 percent said their vendors were provided through their
cyber insurance program.
Regardless of how they are chosen, breach response vendors offer a variety of services that mitigate cybersecurity
risk and supplement cyber insurance policies by effectively managing exposures that are not covered by the policy.
According to respondents the services that are most important are forensics (74 percent), protection services (65
percent), pre-breach services (61 percent), call center (51 percent), and mailing (38 percent) (Exhibit 10). Of which the
vast majority (74 percent) would prefer to receive from a single vendor.
EXHIBIT 10:
Re pon e Per ent
Re pon e Count
51.5% 7038.2% 5265.4% 8973.5% 10061.0% 83
13667kipped que tion
What service do you think are mo t important for your data brea h re pon e vendor to provide? (Sele t all that apply)
Forensics
Call center
an wered que tion
Data Brea h Preparedne Surve
Protection services (credit monitoring)
An wer Option
Pre-breach services
Mailing
0% 20% 40% 60% 80%
Call center
Mailing
Protection services (credit monitoring)
Forensics
Pre-breach services
THAT APPLY)
8 Appendix: Exhibit 8 – “Do you have data breach response vendors selected?”
An wer Option Re pon e Per ent Re pon e Count
Yes 43.9% 29No 39.4% 26Don't know 16.7% 11
866
0kipped que tion
If your polic doe offer free tools, have you u ed them?
an wered que tion
Data Brea h Preparedne Surve
What tool did you find the most valuable? Or, what tool
44%
39%
17%
Yes
No
Don't know
IF YOUR POLICY DOES OFFER FREE TOOLS, HAVE YOU USED THEM?
WHAT SERVICES DO YOU THINK ARE MOST IMPORTANT FOR YOUR DATA BREACH
RESPONSE VENDORS TO PROVIDE? (SELECT ALL THAT APPLY)
11 March 2016 | www.advisenltd.com
ABOUT THE SURVEY RESPONDENTS
Advisen and ID Experts collaborated on a survey designed to understand how organizations prepare and respond to
data breach threats. Invitations to participate were distributed via email to risk managers, insurance buyers and other
risk professionals. The survey was completed at least in part by 203 risk professionals.
The majority of respondents classified themselves as either Chief Risk Manager/Head of Risk Management
Department (41 percent), or Member of Risk Management Department (not head).9
Thirteen macro industry segments are represented. Healthcare has the highest representation accounting for 22
percent of the total respondents. Other well represented industries include industrials at 13 percent, government and
nonprofit at 12 percent, consumer discretionary at 10 percent, and professional services at 9 percent.10
The survey represents businesses of all sizes. Twenty-five percent of respondents have more than 15,000 employees,
23 percent have between 1,001 and 5,000, 22 percent have between 5,001 and 15,000, 17 percent have less than 500,
and 13 percent have between 500 and 1,000 employees.11
The survey is also represented by businesses across all regions of the United States. Twenty-eight percent are located
in the Northeast, 23 percent in the Southeast, 17 percent in the Midwest, 13 percent in the West, and 10 percent come
from the Southwest.12
9 Appendix: Exhibit 9 – “Which of the following best describes your role within your organization?”
10 Appendix: Exhibit 10 -- “What is your industry?”
11 Appendix: Exhibit 11 – “How many employees does your company have?”
12 Appendix: Exhibit 12 – “Where are you located?”
12 March 2016 | www.advisenltd.com
APPENDIX:
EXHIBIT 1:
EXHIBIT 2:
An wer Option Ye No Don't Know Re pon e Count
Privacy and Security policies 130 11 10 151
Privacy Training 107 29 14 150
Security Training 113 23 15 151
Internal Resources 117 13 21 151
15251
Do you a tively update the following?
kipped que tion
Data Brea h Preparedne Surve
an wered que tion
0
20
40
60
80
100
120
140
Privacy and Security policies
Privacy Training Security Training Internal Resources
Don't Know
No
Yes
An wer OptionRe pon e Per ent
Re pon e Count
Don't know 34.2% 52
A software-based process or tool that was developed by a third party 25.0% 38
An ad-hoc process 17.1% 26
A manual process or tool that was developed internally 11.8% 18
A free tool that was developed by an external entity or association 5.9% 9
A software-based process or tool that was developed internally 5.9% 9152
51kipped que tionan wered que tion
How do you a e your c ber se urit risk?
Data Brea h Preparedne Surve
34%
25% 17%
12% 6% 6%
Don't know
A software-based process or tool that was developed by a third party
An ad-hoc process
A manual process or tool that was developed internally
A free tool that was developed by an external entity or association
A software-based process or tool that was developed internally
HOW DO YOU ASSESS YOUR CYBER SECURITY RISK?
DO YOU ACTIVELY UPDATE THE FOLLOWING?
13 March 2016 | www.advisenltd.com
EXHIBIT 3:
EXHIBIT 4:
An wer Option
Re pon e Per ent
Re pon e CountChief Information 34.0% 49Chief Information 25.7% 37General Counsel 6.9% 10Privacy Officer 6.9% 10Compliance Officer 6.9% 10
N/A 6.9% 10
Other (please specify)
6.9% 10
Risk Manager 5.6% 8
14459
Data Brea h Preparedne Surve
kipped que tion
What role within your organization is re pon ible for managing the data brea h re pon e?
an wered que tion
0% 5% 10% 15% 20% 25% 30% 35% 40%
Chief Information Officer
Chief Information Security Officer
General Counsel
Privacy Officer
Compliance Officer
N/A
Other (please specify)
Risk Manager
An wer Option
Re pon e Per ent
Re pon e Count
Yes 69.2% 99Don't know 16.1% 23No 14.7% 21
14360kipped que tion
Do you have a data brea h in ident re pon e team?
an wered que tion
Data Brea h Preparedne Surve
69%
16%
15%
Yes
Don't know
No
DO YOU HAVE A DATA BREACH INCIDENT RESPONSE TEAM?
WHAT ROLE WITHIN YOUR ORGANIZATION IS RESPONSIBLE FOR
MANAGING THE DATA BREACH RESPONSE?
14 March 2016 | www.advisenltd.com
EXHIBIT 5:
EXHIBIT 6:
An wer Option
Re pon e Per ent
Re pon e Count$10,000 to $25,000 19.5% 8$101,000 to $250,000 14.3% 15$51,000 to $100,000 13.0% 7$251,000 to $500,000 11.7% 10$501,000 to $1,000,000 11.7% 11Less than $10,000 10.4% 9Greater than $1,000,000 10.4% 9$26,000 to $50,000 9.1% 8
77126
Data Brea h Preparedne Surve
kipped que tion
How mu h is your dedu tible?
an wered que tion
20%
14%
13%
12%
12%
10%
10%
9% $10,000 to $25,000
$101,000 to $250,000
$51,000 to $100,000
$251,000 to $500,000
$501,000 to $1,000,000
Less than $10,000
Greater than $1,000,000
$26,000 to $50,000
Re pon e Per ent
Re pon e Count
64.4% 9635.6% 53
14954
Data Brea h Preparedne Surve
kipped que tion
Do you have c ber liabilit in uran e?
An wer Option
YesNo
an wered que tion
Yes
No
Re pon e Per ent
Re pon e Count
64.4% 9635.6% 53
14954
Data Brea h Preparedne Surve
kipped que tion
Do you have c ber liabilit in uran e?
An wer Option
YesNo
an wered que tion
64%
36%
DO YOU HAVE CYBER LIABILITY INSURANCE?
HOW MUCH IS YOUR DEDUCTIBLE?
15 March 2016 | www.advisenltd.com
EXHIBIT 7:
EXHIBIT 8:
An wer Option
Re pon e Per ent
Re pon e Count
Yes 51.0% 73Don't know 29.4% 28No 19.6% 42
14360kipped que tion
Do you have data brea h re pon e vendor ele ted?
an wered que tion
Data Brea h Preparedne Surve
Yes
Don't know
No
An wer Option
Re pon e Per ent
Re pon e Count
Yes 51.0% 73Don't know 29.4% 28No 19.6% 42
14360kipped que tion
Do you have data brea h re pon e vendor ele ted?
an wered que tion
Data Brea h Preparedne Surve
51%
29%
20%
An wer Option
Re pon e Per ent
Re pon e Count
No 80.5% 13Yes 15.9% 66Don't know 3.7% 3
82121kipped que tion
Have you ever had to file a claim under your c ber polic ?
an wered que tion
Data Brea h Preparedne Surve
0% 20% 40% 60% 80% 100%
No
Yes
Don't know
HAVE YOU EVER HAD TO FILE A CLAIM UNDER YOUR CYBER POLICY?
DO YOU HAVE DATA BREACH RESPONSE VENDORS SELECTED?
16 March 2016 | www.advisenltd.com
EXHIBIT 9:
EXHIBIT 10:
An wer Option
Re pon e Per ent
Re pon e Count
Healthcare 21.5% 5
Industrials 13.3% 20Government and Nonprofit 12.3% 6
Consumer Discretionary
10.3% 11
Professional Services
9.2% 10
Materials 6.2% 24
Utilities 6.2% 42Education 5.6% 26Energy 5.1% 12Nonbank Financial 4.1% 8Consumer Staples 3.1% 18
Banks 2.6% 1
Telecommunications
0.5% 12
1958
Data Brea h Preparedne Surve
kipped que tion
What is your indu tr ?
an wered que tion
0%
5%
10%
15%
20%
25%
An wer Option
Re pon e Per ent
Re pon e CountChief Risk Manager/Hea 41.0% 82Member of Risk 33.5% 67Other (please specify) 12.0% 24
Information Technology (IT)
4.5% 9
Other Executive 3.0% 6
Compliance 2.5% 5
Privacy 2.0% 4General Counsel 1.5% 3
2003
Data Brea h Preparedne Surve
kipped que tion
Which of the following be t de ribe your role within your organization?
an wered que tion
41%
33%
12%
4%
3% 3% 2% 2%
organization? Chief Risk Manager/Head of Risk Management Department
Member of Risk Management Department (not head)
Other (please specify)
Information Technology (IT)
Other Executive Management (e.g. CEO, CIO, CISO, CFO, COO etc.)
Compliance
Privacy
General Counsel
WHICH OF THE FOLLOWING BEST DESCRIBES YOUR ROLE WITHIN YOUR ORGANIZATION?
WHAT IS YOUR INDUSTRY?
17 March 2016 | www.advisenltd.com
EXHIBIT 11:
EXHIBIT 12:
An wer Option
Re pon e Per ent
Re pon e Count
Northeast 27.6% 55Southeast 23.1% 46Midwest 17.1% 34West 12.6% 20Southwest 10.1% 25Other (please specify) 9.5% 19
1994kipped que tion
an wered que tion
Where are you lo ated?
Data Brea h Preparedne Surve
28%
23% 17%
13%
10%
9%
Northeast
Southeast
Midwest
West
Southwest
Other (please specify)
Disclaimer: The information contained in this document has been developed from sources believed to be reliable. However, the accuracy and correctness of such materials and information has not been verified. We make no warranties either expressed or implied nor accept any legal responsibility for the correctness or completeness of this material. This information should not be construed as business, risk management, or legal advice or legal opinion. Compliance with any of the recommendations contained herein in no way guarantees the fulfillment of your obligations as may be required by any local, state or federal laws. Advisen and ID Experts assumes no responsibility for the discovery and/or elimination of relevant conditions on your property or at your facility.
An wer Option
Re pon e Per ent
Re pon e CountMore than 15000 25.1% 34
1001 to 500022.6% 26
5001 to 15000 22.1% 45Less than 500 17.1% 44
500 to 1000 13.1% 50
1994kipped que tion
How man emplo ee doe your compan have?
an wered que tion
Data Brea h Preparedne Surve
0% 5% 10% 15% 20% 25% 30%
More than 15000
1001 to 5000
5001 to 15000
Less than 500
500 to 1000
HOW MANY EMPLOYEES DOES YOUR COMPANY HAVE?
WHERE ARE YOU LOCATED?