Regulation Catalyst in Risk Enforcement

Regulation Catalyst in Risk Enforcement

Government, Private Sector Diverge on Attitudes Toward Risk

By Eric Chabrow, January 31, 2013. Follow Eric @GovInfoSecurity
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Eric Chabrow

When it comes to cyber-risk, IT security professionals in government don't necessarily think like their counterparts in the private sector.

That's one takeaway from a survey conducted for the Federation of European Risk Management Associations by the Harvard Business Review Analytic Services, corporate insurer Zurich and the public sector risk management organization PRIMO.

 Regulation and compliance are absolutely the key drivers of what most organizations are attempting to do in the way of cyber-risk. 

According to the report, Meeting the Cyberrisk Challenge, respondents from governmental organizations express greater concern about data breaches affecting employee information - nearly half, compared with just over one-third of private-company respondents - while the private side is twice as concerned about customer data breaches - more than 60 percent saying so, compared with just over 30 percent on the government side.

On the surface, these results suggest that businesses care more about their customers than governments do about their citizens. But that isn't the case. Dig deeper into the survey results and you'll see that regulation plays a big part in how businesses assess and react to cyberrisk.

The survey shows that enterprises are concerned about the legal and regulatory threats that can result from breaches. Survey respondents most frequently place business income loss (40 percent) and the cost to restore crucial proprietary electronic information (36 percent) among their top five concerns. The next three: Legal defense and settlement costs from third party claims (35 percent), costs to comply with regulatory settlements (31 percent) and costs to defend against regulatory investigations (30 percent).

Key Drivers

"Regulation and compliance are absolutely the key drivers of what most organizations are attempting to do in the way of cyber-risk," FERMA board member Julia Graham, chief risk officer of the global law firm DLA Piper, says in the report. "

The survey reveals that fewer than two of five respondents say their organization is in compliance with baseline standards set by law on information security and privacy; the public sector appears to perform better, with nearly three-quarters of respondents saying their organization is in compliance, while only 22 percent of all respondents say their organization is in compliance with baseline standards set by standards-setting bodies.

Other points of note from the survey:

  • Nearly two-thirds of survey respondents say their organization has formally assigned roles and responsibilities to key individuals as part of an incident response plan. But few have made contingency plans with preferred vendors. Fewer than half say they have a strategy for communication to the general public in case of a cyberrisk incident, although the public sector does a better job, with 60 percent-plus of respondents saying they have done so.
  • More than half of respondents say their organization evaluates its information security and privacy systems and practices regularly; but just under one-third of government respondents agree. More than 80 percent say they evaluate or reassess systems and practices either annually or continually. These activities are performed in-house at more than 80 percent of organizations, rather than by external contractors.
  • Top executives often tend to regard themselves as doing a great job controlling cyber-risk, but too often, responsibility remains concentrated with the chief information officer or head of technology. Only 16 percent of companies have designated a chief information security officer to oversee cyber-risk and privacy.
  • More than two of three organizations regularly update their antivirus software, while a similar proportion have introduced secure configurations for network devices such as firewalls, routers and switches. But more than 20 percent say their enterprise's budget for activities to maintain information security and privacy is inadequate; nearly 10 percent say they don't know whether it is.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Cool Reception for Obama's Privacy Plan

The Obama administration's discussion draft for a Consumer Privacy Bill of Rights law has some of...

Latest Tweets and Mentions

ARTICLE Cool Reception for Obama's Privacy Plan

The Obama administration's discussion draft for a Consumer Privacy Bill of Rights law has some of...

The ISMG Network