How Organizations Manage Data Breach Exposures

March 2016

MITIGATING THE INEVITABLE: HOW ORGANIZATIONS MANAGE

DATA BREACH EXPOSURES

Sponsored by

3 EXECUTIVE SUMMARY

3 KEY FINDINGS

4 EVERYONE IS AT RISK

5 ASSESSMENT OF RISK

7 DATA BREACH RESPONSE – INSURANCE

10 DATA BREACH RESPONSE – VENDOR SERVICES

11 ABOUT THE SURVEY RESPONDENTS

12 APPENDIX

T A B L E of C O N T E N T S

3 March 2016 | www.advisenltd.com

EXECUTIVE SUMMARYEvery organization—in every industry and of every size—that collects and stores sensitive data is exposed to cybercrime

and is at risk for data breach. Highly publicized data breaches in both the private and public sectors continue to occur in

large number and with great regularity, and show no signs of slowing down. Many more unreported data breaches that

never make it to the media occur on a daily basis. Opportunistic criminals have become adept at identifying the most

vulnerable targets and are continuously evolving in order to stay a step ahead of defenses.

The reality is that most organizations have already experienced a data breach whether or not they know it. The majority

of breaches are, in fact, small, and may go undetected for a long time. Regardless of industry or size, companies

increasingly realize that a breach of sensitive data is detrimental to their financial health. “We are highly concerned

about our financial exposure, both in fines and penalties, third party claims, and reputational harm,” said a risk

manager responding to the survey.

More and more organizations rely on cyber liability insurance to help mitigate this risk. But while cyber liability

insurance has proven effective in covering certain cyber-related losses, other types of losses may be excluded under

the policy. Additionally, many breaches fall beneath the minimum number of records required to trigger coverage.

It was with this in mind that Advisen and ID Experts collaborated on a survey to gain insight into how businesses

are preparing for and responding to data breach threats. The purpose of this study is to better understand how

organizations are assessing their breach risks, what actions they are taking to prevent breaches and how they are

managing their cyber insurance coverage gaps. The study also explores how organizations respond to data breaches

and whether organizations are, or should be, engaging with third party vendors to manage breach response efforts

while minimizing reputational, regulatory, and litigation risks.

KEY FINDINGS• 80 percent of all surveyed organizations are concerned about the consequences of a large public data breach.

• 17 percent of respondents have experienced a data breach that they are aware of over the previous 12 months.

• The vast majority of the data breaches experienced are small consisting of a loss of fewer than 500 records.

• The median data breach is 100 records.

• Only 45 percent of respondents believe their company has adequate resources to detect all breaches.

• 75 percent of respondents have developed an incident response plan but only 42 percent have tested the plan.

• 60 percent of respondents said that the information technology (IT) department is responsible for managing the

data breach response.

• 64 percent purchase cyber insurance.

• The vast majority of breaches fall below the cyber insurance policy deductible.

• Most organizations use internal resources to manage small breaches.

• 51 percent have selected data breach response vendors.

• 75 percent prefer to receive all cybersecurity risk services from a single vendor.


EVERYONE IS AT RISKOrganizations that hold sensitive data, regardless of their size, face

data breach risks. In fact, most businesses, insurers, and cybersecurity

professionals now accept that the question is no longer if a data breach

occurs, but rather a matter of when and how bad will it be.

A large public breach can bring a tremendous amount of unwanted

attention. As a result, it is no surprise that the vast majority of risk

professionals surveyed (80 percent) worry about the consequence of such

an occurrence. They express a range of concerns that are largely centered

around the financial impact the breach will have on their business.

“Public perception and reputation damage alone would negatively impact business,” explained one respondent. “Our

biggest concern is the financial exposure both in fines and penalties as well as third party claims and reputation harm,”

another said. “It could impact business, which is our livelihood,” stated another.

Hacker methods are continuously evolving allowing them to identify new vulnerabilities and penetrate even the most

well-fortified websites and networks. Simultaneously, the ability to execute cyberattacks has become easier as

hacking toolkits and contract hackers are readily available for purchase, rent, or hire on the Internet.

While it now is a near certainty that a company will at some point experience a data breach, what is not certain is the

impact the breach will have on their business. It is widely accepted that organizations that proactively prepare for and

manage data breach risk will significantly reduce the impact.

Businesses must ask themselves if they are adequately prepared to identify and respond to this now nearly inevitable data

breach occurrence. On the surface, the data suggests that many are. Sixty-seven percent of the survey’s respondents

claimed to not have experienced a data breach in the previous 12 months, with another 17 percent saying they

experienced only one or two breaches over that period (Exhibit 1). However, less than half (45 percent) of the respondents

believe their organization has adequate resources to detect data breaches so many breaches may go undiscovered.

EXHIBIT 1:

BUSINESSES MUST ASK

THEMSELVES IF THEY ARE

ADEQUATELY PREPARED TO

IDENTIFY AND RESPOND TO THIS

NOW NEARLY INEVITABLE DATA

BREACH OCCURRENCE. ON THE

SURFACE, THE DATA SUGGESTS

THAT MANY ARE.

An werOption

Re pon ePer ent

Re pon e Count

0 67.5% 1121 - 2 16.9% 283 - 5 8.4% 1410 or more 6.6% 115 - 7 0.6% 17 - 9 0.0% 0

16637kipped que tion

an wered que tion

Mo t organization have experien ed a lo ofen itive data in a small brea h and in mana e multiple large brea he . How man data

Data Brea h Preparedne Surve

67%

17%

8% 7%

1% 0%

0

1 - 2

3 - 5

10 or more

5 - 7

7 - 9

MOST ORGANIZATIONS HAVE EXPERIENCED A LOSS OF

SENSITIVE DATA IN A SMALL BREACH AND IN MANY CASES

MULTIPLE LARGE BREACHES. HOW MANY DATA BREACHES HAS

YOUR ORGANIZATION EXPERIENCED IN THE LAST 12 MONTHS?


The unfortunate reality, however, is that many are likely experiencing breaches that have yet to be discovered. The

reason for this may not be for lack of desire or for lack of trying, but rather because they simply do not have the

qualified resources, processes or systems. Respondents were asked if they believe their organization has adequate

resources to detect all data breaches. Forty-five percent said yes but the remaining 55 percent either said no or that

they did not know (Exhibit 2).

EXHIBIT 2:

ASSESSMENT OF RISKRisk professionals agree that having a clear understanding of exposures and vulnerabilities

and developing a data breach incident response plan around those vulnerabilities is key to

minimizing the potential for loss. A poorly managed response significantly increases the risk

for costly fines, lawsuits, reputational harm, and customer identity theft.

Seventy-two percent of respondents said that they conduct a cybersecurity and privacy

risk assessment at least annually (Exhibit 3).1 Most said that they actively update their

privacy and security policies, training, and internal resources.2 And the majority (75

percent) has also developed an incident response plan (Exhibit 4).3

1 Appendix: Exhibit 1 – “How do you assess your cybersecurity risk?”

2 Appendix: Exhibit 2 – “Do you actively update the following?”

3 Appendix: Exhibit 3 – “Do you have a data breach incident response team?”

LESS THAN HALF

(45 PERCENT) OF

RESPONDENTS BELIEVE

THEIR ORGANIZATION

HAS ADEQUATE

RESOURCES TO DETECT

DATA BREACHES SO

MANY BREACHES MAY GO

UNDISCOVERED.

DO YOU BELIEVE YOUR ORGANIZATION HAS ADEQUATE

RESOURCES TO DETECT ALL DATA BREACHES?

An wer Option

Re pon e Per ent

Re pon e Count

Yes 44.6% 74Don't Know 28.3% 47No 27.1% 45


Do you believe your organization ha adequate re our e to dete t all data brea he ?

an wered que tion


45%

28%

27%

An wer Option

Re pon e Per ent

Re pon e Count

Yes 44.6% 74Don't Know 28.3% 47No 27.1% 45


Do you believe your organization ha adequate re our e to dete t all data brea he ?

an wered que tion


Yes

Don't Know

No


EXHIBIT 3:

EXHIBIT 4:

Interestingly, however, while most organizations proactively develop and update their plans for effective data breach

response, many do not test the effectiveness of the plan. Respondents who said that they have developed a data

breach response plan were asked whether the plan has been tested. Forty-two percent said yes but a nearly equal 41

percent said no or that they did not know (Exhibit 5).

Re pon e Per ent

Re pon e Count

4.6% 712.6% 198.6% 13

12.6% 1937.7% 574.6% 7

19.2% 298

15152

an wered que tion

Never

Other


Quarterly

If you have never done a risk assessment, why not?

An wer Option

Annually

kipped que tion

Monthly

Don't Know

How often do you do a c ber se urit and priva risk a e ment?

Bi-Annually

0% 5% 10% 15% 20% 25% 30% 35% 40%

Never

Monthly

Quarterly

Bi-Annually

Annually

Other

Don't Know

An wer Option

Re pon e Per ent

Re pon e Count

Yes 75.3% 110Don't know 13.7% 20No 11.0% 16


Do you have a data brea h in ident re pon e plan?

an wered que tion


75%

14%

11%

An wer Option

Re pon e Per ent

Re pon e Count

Yes 75.3% 110Don't know 13.7% 20No 11.0% 16


Do you have a data brea h in ident re pon e plan?

an wered que tion


Yes

Don't know

No

HOW OFTEN DO YOU DO A CYBER SECURITY AND PRIVACY RISK ASSESSMENT?

DO YOU HAVE A DATA BREACH INCIDENT RESPONSE PLAN?


EXHIBIT 5:

This leads to the question, why would organizations make the effort to

develop a data breach response plan but not make the effort to test the

plan’s effectiveness? Could it be that the incident response plan is being

tested but there is disconnect or lack of communication between the risk

management and technology departments? According to the data this could

certainly be a possibility since most organizations (60 percent) continue to

lean on the IT department for managing the data breach response.4

This, however, leads to yet another question about the structure of the

plan and the participants of the data breach response team. Cybersecurity

experts recommend that a breach response team consist of a cross-section of internal personnel as well as

external members. Data breach response teams often include executive management, legal, privacy/compliance,

IT, information security, risk management, and other stakeholders from the company’s various business units.

External members often include privacy counsel, computer forensics and breach response specialists, and a crisis

management firm.

Another and more likely scenario is that most organizations are simply ill prepared to manage data breach risks due to

inadequate resources.

DATA BREACH RESPONSE – IS CYBER INSURANCE ENOUGH?The survey respondents who experienced at least one data breach over the previous twelve months were asked the

average size (# of records lost) of the breaches. Of the responses provided, the average was 2,200 records, however,

ACCORDING TO THE DATA

THIS COULD CERTAINLY BE

A POSSIBILITY SINCE MOST

ORGANIZATIONS (60 PERCENT)

CONTINUE TO LEAN ON THE IT

DEPARTMENT FOR MANAGING

THE DATA BREACH RESPONSE.

An wer Option

Re pon e Per ent

Re pon e Count

Yes 42.4% 61Don't know 22.9% 33No 18.1% 26N/A 16.7% 24

14459

If you do have a data brea h in ident re pon e plan, ha it been te ted?

kipped que tion


an wered que tion

0% 10% 20% 30% 40% 50%

Yes

Don't know

No

N/A

IF YOU DO HAVE A DATA BREACH INCIDENT RESPONSE PLAN, HAS IT BEEN TESTED?

4 Appendix: Exhibit 4 – “What role within your organization is responsible for managing the data breach response?”


the vast majority were small consisting of fewer than 500 records. The median was 100. Responding to small breaches

can sometimes create challenges for organizations, including those that have cyber insurance (64 percent) because

they fall beneath the minimum threshold required to trigger coverage5.

In fact, of the respondents who purchase cyber insurance and have identified a data breach in the previous twelve months,

nearly all fell below their deductibles (Exhibit 6)6. While cyber coverage is increasingly viewed as an essential part of

many corporate insurance programs, it is designed to protect against low frequency but high severity occurrences.

EXHIBIT 6:

The vast majority of respondents said that they use internal resources to manage these small but high frequency

claims that fall below their deductible (Exhibit 7). In fact, as noted previously, 60 percent of respondents said it is the

IT department’s responsibility to manage the breach response. While IT certainly has a role to play, a sole reliance on

IT can expose organizations to financial loss as breaches often require privacy and regulatory compliance. For this

reason, cybersecurity experts suggest that while IT needs to be involved responding to a data breach is not something

it should own solely.

5 Appendix: Exhibit 5 – “Do you purchase cyber liability insurance?”

6 Appendix: Exhibit 6 – “How much is your deductible?”

An wer Option

Re pon e Per ent

Re pon e CountI haven't had a data 59.3% 48

91 - 100% 25.9% 21Don't know 7.4% 6Less than 10%

3.7% 3

41 - 50% 2.5% 271 - 80% 1.2% 110 - 20% 0.0% 021 - 30% 0.0% 031 - 40% 0.0% 051 - 60% 0.0% 0

61 - 70% 0.0% 0

81 - 90% 0.0% 081

122kipped que tion


an wered que tion

In the la t 12 month what per entage of your data brea he fell below your dedu tible?

59% 26%

7%

4% 3% 1%

your deductible? I haven't had a data breach in the last 12 months 91 - 100%

Don't know

Less than 10%

41 - 50%

71 - 80%

10 - 20%

21 - 30%

31 - 40%

51 - 60%

61 - 70%

WHILE IT CERTAINLY HAS A ROLE TO PLAY, A SOLE RELIANCE ON IT CAN EXPOSE ORGANIZATIONS

TO FINANCIAL LOSS AS BREACHES OFTEN REQUIRE PRIVACY AND REGULATORY COMPLIANCE.

FOR THIS REASON, CYBERSECURITY EXPERTS SUGGEST THAT WHILE IT NEEDS TO BE INVOLVED

RESPONDING TO A DATA BREACH IS NOT SOMETHING IT SHOULD OWN SOLELY.

IN THE LAST 12 MONTHS WHAT PERCENTAGE OF YOUR DATA

BREACHES FELL BELOW YOUR DEDUCTIBLE?


EXHIBIT 7:

Cyber insurance is a relatively new coverage and the number of claims filed is comparatively few compared with

more mature lines of business.7 But in reality, even if a data breach is large enough to trigger coverage under a cyber

insurance policy, organizations will still often be required to assume some of the financial burden. For example, the

cost of the breach could have exceeded the amount of coverage purchased, or the losses could have fallen under one

of the policies exclusions such as intellectual property, infrastructure, and/or reputational loss (Exhibit 8).

EXHIBIT 8:

In addition to loss indemnification, cyber policies also provide access to a variety of tools and services such as risk

assessment tools, data breach incident response plans, and educational resources, to help manage cyber security

risks. Seventy percent of respondents said that their policy offers free tools to help manage their cybersecurity risks.

Forty-four percent of the respondents said they have used them (Exhibit 9).

An wer Option

Re pon e Per ent

Re pon e CountUse internal resources to 73.1% 57Contract with a data 14.1% 3Other (please specify) 9.0% 11Rely upon outside legal 3.8% 7

78125

How do you manage small brea he that fall below your dedu tible?

kipped que tion


an wered que tion

0% 10% 20% 30% 40% 50% 60% 70% 80%

Use internal resources to manage

Contract with a data breach vendor

Other (please specify)

Rely upon outside legal counsel

An wer Option

Re pon e Per ent

Re pon e Count

Yes 53.8% 42Don't know 26.9% 15No 19.2% 21


Do you believe your limit are adequate for a large data brea h?

an wered que tion


54%

27%

19%

Yes

Don't know

No

7 Appendix: Exhibit 7 – “Have you ever had to file a claim under your cyber policy?”

HOW DO YOU MANAGE SMALL BREACHES THAT FALL BELOW YOUR DEDUCTIBLE?

DO YOU BELIEVE YOUR LIMITS ARE ADEQUATE FOR A LARGE DATA BREACH?


EXHIBIT 9:

DATA BREACH RESPONSE – VENDOR SERVICESTo cost effectively manage coverage gaps, many organizations who lack the resources and/or knowledge in-house, can

benefit from the expertise provided by a full-service vendor equipped to manage a large breach response effort while

minimizing reputational, regulatory, and litigation risks. Respondents were asked whether they have selected data breach

response vendors. Fifty-one percent said yes but a nearly equal 49 percent said no or that they did not know.8

Respondents who had selected data breach response vendors were then asked how they made the selection. Fifty-

nine percent chose their own vendors while the remaining 41 percent said their vendors were provided through their

cyber insurance program.

Regardless of how they are chosen, breach response vendors offer a variety of services that mitigate cybersecurity

risk and supplement cyber insurance policies by effectively managing exposures that are not covered by the policy.

According to respondents the services that are most important are forensics (74 percent), protection services (65

percent), pre-breach services (61 percent), call center (51 percent), and mailing (38 percent) (Exhibit 10). Of which the

vast majority (74 percent) would prefer to receive from a single vendor.

EXHIBIT 10:

Re pon e Per ent

Re pon e Count

51.5% 7038.2% 5265.4% 8973.5% 10061.0% 83


What service do you think are mo t important for your data brea h re pon e vendor to provide? (Sele t all that apply)

Forensics

Call center

an wered que tion


Protection services (credit monitoring)

An wer Option

Pre-breach services

Mailing

0% 20% 40% 60% 80%

Call center

Mailing

Protection services (credit monitoring)

Forensics

Pre-breach services

THAT APPLY)

8 Appendix: Exhibit 8 – “Do you have data breach response vendors selected?”

An wer Option Re pon e Per ent Re pon e Count

Yes 43.9% 29No 39.4% 26Don't know 16.7% 11

866

0kipped que tion

If your polic doe offer free tools, have you u ed them?

an wered que tion


What tool did you find the most valuable? Or, what tool

44%

39%

17%

Yes

No

Don't know

IF YOUR POLICY DOES OFFER FREE TOOLS, HAVE YOU USED THEM?

WHAT SERVICES DO YOU THINK ARE MOST IMPORTANT FOR YOUR DATA BREACH

RESPONSE VENDORS TO PROVIDE? (SELECT ALL THAT APPLY)


ABOUT THE SURVEY RESPONDENTS

Advisen and ID Experts collaborated on a survey designed to understand how organizations prepare and respond to

data breach threats. Invitations to participate were distributed via email to risk managers, insurance buyers and other

risk professionals. The survey was completed at least in part by 203 risk professionals.

The majority of respondents classified themselves as either Chief Risk Manager/Head of Risk Management

Department (41 percent), or Member of Risk Management Department (not head).9

Thirteen macro industry segments are represented. Healthcare has the highest representation accounting for 22

percent of the total respondents. Other well represented industries include industrials at 13 percent, government and

nonprofit at 12 percent, consumer discretionary at 10 percent, and professional services at 9 percent.10

The survey represents businesses of all sizes. Twenty-five percent of respondents have more than 15,000 employees,

23 percent have between 1,001 and 5,000, 22 percent have between 5,001 and 15,000, 17 percent have less than 500,

and 13 percent have between 500 and 1,000 employees.11

The survey is also represented by businesses across all regions of the United States. Twenty-eight percent are located

in the Northeast, 23 percent in the Southeast, 17 percent in the Midwest, 13 percent in the West, and 10 percent come

from the Southwest.12

9 Appendix: Exhibit 9 – “Which of the following best describes your role within your organization?”

10 Appendix: Exhibit 10 -- “What is your industry?”

11 Appendix: Exhibit 11 – “How many employees does your company have?”

12 Appendix: Exhibit 12 – “Where are you located?”


APPENDIX:

EXHIBIT 1:

EXHIBIT 2:

An wer Option Ye No Don't Know Re pon e Count

Privacy and Security policies 130 11 10 151

Privacy Training 107 29 14 150

Security Training 113 23 15 151

Internal Resources 117 13 21 151

15251

Do you a tively update the following?

kipped que tion


an wered que tion

0

20

40

60

80

100

120

140

Privacy and Security policies

Privacy Training Security Training Internal Resources

Don't Know

No

Yes

An wer OptionRe pon e Per ent

Re pon e Count

Don't know 34.2% 52

A software-based process or tool that was developed by a third party 25.0% 38

An ad-hoc process 17.1% 26

A manual process or tool that was developed internally 11.8% 18

A free tool that was developed by an external entity or association 5.9% 9

A software-based process or tool that was developed internally 5.9% 9152

51kipped que tionan wered que tion

How do you a e your c ber se urit risk?


34%

25% 17%

12% 6% 6%

Don't know

A software-based process or tool that was developed by a third party

An ad-hoc process

A manual process or tool that was developed internally

A free tool that was developed by an external entity or association

A software-based process or tool that was developed internally

HOW DO YOU ASSESS YOUR CYBER SECURITY RISK?

DO YOU ACTIVELY UPDATE THE FOLLOWING?


EXHIBIT 3:

EXHIBIT 4:

An wer Option

Re pon e Per ent

Re pon e CountChief Information 34.0% 49Chief Information 25.7% 37General Counsel 6.9% 10Privacy Officer 6.9% 10Compliance Officer 6.9% 10

N/A 6.9% 10


6.9% 10

Risk Manager 5.6% 8

14459


kipped que tion

What role within your organization is re pon ible for managing the data brea h re pon e?

an wered que tion

0% 5% 10% 15% 20% 25% 30% 35% 40%

Chief Information Officer

Chief Information Security Officer

General Counsel

Privacy Officer

Compliance Officer

N/A


Risk Manager

An wer Option

Re pon e Per ent

Re pon e Count

Yes 69.2% 99Don't know 16.1% 23No 14.7% 21


Do you have a data brea h in ident re pon e team?

an wered que tion


69%

16%

15%

Yes

Don't know

No

DO YOU HAVE A DATA BREACH INCIDENT RESPONSE TEAM?

WHAT ROLE WITHIN YOUR ORGANIZATION IS RESPONSIBLE FOR

MANAGING THE DATA BREACH RESPONSE?


EXHIBIT 5:

EXHIBIT 6:

An wer Option

Re pon e Per ent

Re pon e Count$10,000 to $25,000 19.5% 8$101,000 to $250,000 14.3% 15$51,000 to $100,000 13.0% 7$251,000 to $500,000 11.7% 10$501,000 to $1,000,000 11.7% 11Less than $10,000 10.4% 9Greater than $1,000,000 10.4% 9$26,000 to $50,000 9.1% 8

77126


kipped que tion

How mu h is your dedu tible?

an wered que tion

20%

14%

13%

12%

12%

10%

10%

9% $10,000 to $25,000

$101,000 to $250,000

$51,000 to $100,000

$251,000 to $500,000

$501,000 to $1,000,000

Less than $10,000

Greater than $1,000,000

$26,000 to $50,000

Re pon e Per ent

Re pon e Count

64.4% 9635.6% 53

14954


kipped que tion

Do you have c ber liabilit in uran e?

An wer Option

YesNo

an wered que tion

Yes

No

Re pon e Per ent

Re pon e Count

64.4% 9635.6% 53

14954


kipped que tion

Do you have c ber liabilit in uran e?

An wer Option

YesNo

an wered que tion

64%

36%

DO YOU HAVE CYBER LIABILITY INSURANCE?

HOW MUCH IS YOUR DEDUCTIBLE?


EXHIBIT 7:

EXHIBIT 8:

An wer Option

Re pon e Per ent

Re pon e Count

Yes 51.0% 73Don't know 29.4% 28No 19.6% 42


Do you have data brea h re pon e vendor ele ted?

an wered que tion


Yes

Don't know

No

An wer Option

Re pon e Per ent

Re pon e Count

Yes 51.0% 73Don't know 29.4% 28No 19.6% 42


Do you have data brea h re pon e vendor ele ted?

an wered que tion


51%

29%

20%

An wer Option

Re pon e Per ent

Re pon e Count

No 80.5% 13Yes 15.9% 66Don't know 3.7% 3


Have you ever had to file a claim under your c ber polic ?

an wered que tion


0% 20% 40% 60% 80% 100%

No

Yes

Don't know

HAVE YOU EVER HAD TO FILE A CLAIM UNDER YOUR CYBER POLICY?

DO YOU HAVE DATA BREACH RESPONSE VENDORS SELECTED?


EXHIBIT 9:

EXHIBIT 10:

An wer Option

Re pon e Per ent

Re pon e Count

Healthcare 21.5% 5

Industrials 13.3% 20Government and Nonprofit 12.3% 6

Consumer Discretionary

10.3% 11

Professional Services

9.2% 10

Materials 6.2% 24

Utilities 6.2% 42Education 5.6% 26Energy 5.1% 12Nonbank Financial 4.1% 8Consumer Staples 3.1% 18

Banks 2.6% 1

Telecommunications

0.5% 12

1958


kipped que tion

What is your indu tr ?

an wered que tion

0%

5%

10%

15%

20%

25%

An wer Option

Re pon e Per ent

Re pon e CountChief Risk Manager/Hea 41.0% 82Member of Risk 33.5% 67Other (please specify) 12.0% 24

Information Technology (IT)

4.5% 9

Other Executive 3.0% 6

Compliance 2.5% 5

Privacy 2.0% 4General Counsel 1.5% 3

2003


kipped que tion

Which of the following be t de ribe your role within your organization?

an wered que tion

41%

33%

12%

4%

3% 3% 2% 2%

organization? Chief Risk Manager/Head of Risk Management Department

Member of Risk Management Department (not head)


Information Technology (IT)

Other Executive Management (e.g. CEO, CIO, CISO, CFO, COO etc.)

Compliance

Privacy

General Counsel

WHICH OF THE FOLLOWING BEST DESCRIBES YOUR ROLE WITHIN YOUR ORGANIZATION?

WHAT IS YOUR INDUSTRY?


EXHIBIT 11:

EXHIBIT 12:

An wer Option

Re pon e Per ent

Re pon e Count

Northeast 27.6% 55Southeast 23.1% 46Midwest 17.1% 34West 12.6% 20Southwest 10.1% 25Other (please specify) 9.5% 19

1994kipped que tion

an wered que tion

Where are you lo ated?


28%

23% 17%

13%

10%

9%

Northeast

Southeast

Midwest

West

Southwest


Disclaimer: The information contained in this document has been developed from sources believed to be reliable. However, the accuracy and correctness of such materials and information has not been verified. We make no warranties either expressed or implied nor accept any legal responsibility for the correctness or completeness of this material. This information should not be construed as business, risk management, or legal advice or legal opinion. Compliance with any of the recommendations contained herein in no way guarantees the fulfillment of your obligations as may be required by any local, state or federal laws. Advisen and ID Experts assumes no responsibility for the discovery and/or elimination of relevant conditions on your property or at your facility.

An wer Option

Re pon e Per ent

Re pon e CountMore than 15000 25.1% 34

1001 to 500022.6% 26

5001 to 15000 22.1% 45Less than 500 17.1% 44

500 to 1000 13.1% 50

1994kipped que tion

How man emplo ee doe your compan have?

an wered que tion


0% 5% 10% 15% 20% 25% 30%

More than 15000

1001 to 5000

5001 to 15000

Less than 500

500 to 1000

HOW MANY EMPLOYEES DOES YOUR COMPANY HAVE?

WHERE ARE YOU LOCATED?

How Organizations Manage Data Breach Exposures

Documents

Transcript of How Organizations Manage Data Breach Exposures