Survey results, however, appear to indicate that the market is slowing—up only 7 percent from 2015, compared with an 18 percent increase in 2014.

Majority Sees Cyber as 'Significant' Threat

The survey also found a strong connection between industries with substantial personally identifiable information, personal health information, or personal financial information and companies' understanding of data security risks.

Almost all the boards of directors (93 percent) and C-suite executives (95 percent) in healthcare, finance and banking, retail, and communications—those industries that rely heavily on personal data—say that cyber risks are a significant threat. In comparison, 79 percent of boards and 80 percent of C-suite executives from the other industries surveyed view cyber risk as a significant threat.

The survey also found:

• Among all respondents, 87 percent believe a technology interruption would have a moderate to significant effect on their business, while 13 percent don't see technology interruption as even having a moderate effect.
• General counsel took over from information technology as the department most frequently responsible for assuring compliance with all applicable federal, state, or local privacy laws—including state breach notification laws—for the first time since the survey began in 2011.
• Nearly all the companies surveyed (97 percent) clearly recognize the importance of collaboration between their risk management and information technology departments on issues related to cybersecurity.
• For 36 percent of respondents, "expenses/fines related to a breach of customer/personal information" are the leading reason for purchasing security and privacy insurance.

Risk Awareness Doesn't Equal Risk Transfer

PropertyCasualty360.com interviewed Erica Davis, head of specialty errors and omissions for Zurich North America, to gain some additional insights about the survey:

PC360:  Were any of the survey results surprising to you?

Erica Davis:  Businesses and senior leadership attitudes toward cyber have evolved. They are keenly aware of the impacts of network interruption or other cyber exposures. Yet that is not necessarily translating to a risk transfer solution. Even though there is growing hyperconnectivity—increased reliance on technology—there are businesses that still have not made the decision to purchase a product to help mitigate the growing nature of network interruption impact.

PC360:  The responses break down by industry to a certain extent. Were there industries that you expected would have a higher uptake in cyber coverage?

Davis:  As indicated, organizations with greater amounts of personally identifiable information and personal health information appear to purchase cyber coverage more frequently. There could be even more attention to these industries in the future due to regulatory developments, especially financial institutions. I expect to see a trend toward more focus on network interruption and corporate confidential information, which may trigger a change to buying patterns within the manufacturing segment or law firms.

PC360:  What department—IT, risk management, general counsel, finance, or HR, for example—is most often taking the lead on educating employees on how to avoid data breaches?

Davis:  We most often find IT taking the lead on data breach awareness and the general counsel taking the lead on privacy awareness. The trend we are encouraged to see is the increased appreciation of how cyber risk education and response need to be a multidepartmental approach, and they have to be embedded into the organization's culture.

PC360:  How can agents and brokers help their small to midsize business clients—for example, physician or dental practices, or retail boutiques—understand and mitigate the risks? I'm thinking about the local dry cleaner with 10 locations who picks up and delivers and keeps customers' credit cards on file, for instance, or a local liquor store "chain" with 20 locations that accepts credit cards and maintains a loyalty list of customers.

Davis:  It really does come back to helping businesses understand and protect themselves from risk. I advise risk mapping here. Small and midsize businesses need help understanding what downtime could mean to their operations and what costs are associated with that downtime. They need to understand how many records they're holding — and what those costs could be if that sensitive information is compromised.

This is an opportunity for the insurance community to help businesses quantify the exposure and provide risk mitigation guidance that better protects these businesses from cyber risk.

PC360:  What do you want readers to take away from the survey results?

Davis:  There is a lot of great information in the survey results, and I encourage those interested to take the time to look through the responses to find what might most interest them.

But overall it's important for them to see that greater awareness and deeper discussion of cyber risk has generated increased role clarity—for example, IT is no longer cited as most responsible for breach notification. Businesses may keep current with awareness of escalating threats—malware, for instance—but they haven't necessarily responded by consistently offering employee training. There is still work to be done on understanding cyber risk and developing action items on what that means to your business. There is no one-size-fits-all approach.

Readers should also see that there continues to be a need for businesses to build on their resilience efforts. The survey shows us that businesses overall are recognizing the additional threat of engineering tactics such as phishing and spear phishing emails to employees, with 50 percent of respondents indicating that "employees unintentionally infecting their network with malware" was a high or extremely high risk and the top concern of survey respondents. But even with a high level of concern about the human element, the survey shows that approximately 21 percent of respondents say they still don't have an employee education program in place.

Ultimately, creating a mind-set of resilience is a key component to building a cyber-related risk mitigation strategy.

You can see the complete results of the survey, "Information Security and Cyber Liability Risk Management: The sixth annual survey on the current state of and trends in information security and cyber liability risk management," at Zurich North America's website.