Mark Beasley, a professor at North Carolina State and director of its ERM Initiative, said executives overseas are affected by such factors as Brexit, the unrest in the Middle East, and the immigration crisis that has weighed on Western Europe. "Collectively all those things are accelerating the issues on the mind of executives, particularly in Europe but also in the Asia-Pacific region," he said.

The survey was conducted before the November U.S. presidential election, and DeLoach said the survey results might have been different had U.S. executives known how the election was going to go.

"If anything, the level of uncertainty has increased as a result of the presidential election because no one really is clear on what is going to happen as a result of the Trump administration," he said.

The Protiviti–North Carolina State survey asked executives to rate 30 risks, up from 27 in previous years. For 2017, the top risk was economic conditions both at home and in international markets, which were cited as a "significant impact" risk by 72% of respondents.

The No. 1 risk over the previous four years¾regulatory change and heightened regulatory scrutiny¾came in second in the latest survey and was cited as a "significant impact" risk by 66% of respondents. Managing cyber threats ranked third and was cited as a significant risk by 60%.

DeLoach noted that the concern about cyber threats "has been steadily increasing" over the five years that Protiviti and North Carolina State have conducted the survey. "Quite candidly, it's pushing for the second spot; it's way up there," he said.

RIMS Cyber Survey

The concerns about cyber threats were also evident in a survey last fall by RIMS, the risk management society, which found that 80% of the 272 risk managers surveyed had purchased a stand-alone cyber insurance policy last year, up from 51% in 2015.

Nowell Seaman, the president of RIMS for 2017 and director of global risk management for Potash Corp. of Saskatchewan Inc., said that while financing the costs incurred during a cyber breach was important, having insurance was only part of the process of managing cyber risks.

"Cyber is one of those risks where identification of each organization's specific exposures, as well as how that exposure is mitigated, remains absolutely critical," noted Seaman, pictured at left.

He said that when a company buys cyber coverage, insurers want to know what risks the organization is exposed to and how it is managing those risks. "That's indicative; your exposure really depends on what you're doing to mitigate what your specific risks are," he said.

Seaman pointed to the broad array of risks that come under the category of cyber, ranging from breaches and loss of personal data to ransomware and compromises of operational technology. "It's very dependent on each organization to understand the nature of their risk and what they're doing about it," he said.

Protiviti's DeLoach said companies need to be selective about what they protect against cyber threats. "You can't look at all information assets and all intellectual property and say every bit of it needs to be managed to the same extent," he said. Companies should "focus on crown jewels—identifying those information assets and intellectual property that they absolutely cannot afford to lose or have compromised.

"This is a fast-moving space, and what makes it especially challenging is that it is a moving target, meaning that technology moves beyond the protections you already have in place," DeLoach added. "There has to be a constant reassessment of the threat landscape."

Emily Cummins, a RIMS board director and managing director of tax and risk management for the National Rifle Association, said that the dynamic quality of cyber risk is echoed in the way insurance responds to the risk.

"As a buyer, I've found that the cyber marketplace is one of the most responsive and agile," she said.

Cummins noted that the process of buying cyber coverage takes longer than other insurance purchases. "The research and contemplation process is much lengthier," she said. "It has to go deeper. The types of situations you want to insure are not necessarily replications of cases in the past. The organization has to anticipate the future."

Market Conditions

Risks may be mounting, but at least obtaining coverage isn't currently a problem. Seaman said the insurance market remains stable.

"Certainly it appears that softer market conditions have been continuing," he said. "Availability and coverage for most lines do not appear to be an issue at this time."

Seaman also cited a growing acceptance of the importance of risk management. "It's interesting: A few years ago, it was a challenge gaining buy-in to the idea of risk management in many organizations," he said. "What we're seeing increasingly is that an effective risk management program is accepted as good practice.

"Now the challenges are: How do we make the risk management program and tools, how we educate people, [and] how we equip managers throughout the organization to effectively manage risk?" he said.