January 30, 2013 - The Federation of European Risk Management Associations (FERMA) says its latest survey of its members shows that many companies still do not devote sufficient attention to cyber risks, despite an increase in the frequency, scope, and sophistication of threat vectors, as well as harsher penalties for lack of regulatory compliance and loss of sensitive data – not to mention reputational damage.

FERMA carried out its latest research in partnership with Harvard Business Review (HBR) Analytic Services, corporate insurer Zurich, and the public sector risk management organisation PRIMO.

Julia Graham, a FERMA board member who led the trade body's participation in the project, said: "Too often I have seen well embedded principles and practices associated with risk management and risk financing discarded when the subjects of information security and specifically cyber security are considered."

More than three-quarters (76%) of survey respondents said that information security and privacy had become more significant areas of concern in the past three years. A majority also indicated that board involvement is growing in their organisation.

"They must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance," the final report from HBR and Zurich concludes.

"Information security is a classic enterprise risk," commented Graham. "It is not solely a subject for the domain of the chief information officer (CIO) or the chief information security officer."

In any case, only 16% of companies covered in the FERMA survey have designated a chief information security officer (CISO) to oversee cyber risk and privacy, and only 49% said they have a strategy for communication to the general public in case of a cyber-risk incident or data loss event. An earlier survey from FERMA highlighted threats from social media.

Just 19% of respondents to the this latest assessment of general cyber security threats, say that they have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy, pointed out Zurich. Only 44% said their company's budget for these risks has grown.