Annual Cyber Risk Survey Finds Businesses Are Sharpening Their Focus on Cybersecurity but Also Reveals Much Room for Improvement in Building Cyber-Resilience

This year's survey features the highest percentage of cyber insurance buyers since the beginning of the survey 11 years ago.

October 27, 2021

5 Min Read


SCHAUMBURG, Ill., Oct. 27, 2021 /PRNewswire/ -- Zurich North America and Advisen Ltd. have released the 11th Annual Information Security and Cyber Risk Management Survey of corporate risk managers and insurance buyers revealing current views about information security and cyber risk management. This year's survey features the highest percentage of cyber insurance buyers since the beginning of the survey 11 years ago with 83 percent of respondents carrying some level of cyber insurance. The survey results indicate that risk professionals are increasingly aware of their intensifying cyber risks and the need to manage them using risk mitigation and risk transfer. However, a deeper dive into the numbers found that there is much room for improvement in building cyber resilience.

  • Sixty-five percent of respondents have invested in cyber security solutions to mitigate risk, which means that 35 percent of respondents still have not.

"At Zurich, we have been advocating for increased cyber resilience among businesses for years so seeing a continued increase in take up rate and strengthening risk mitigation efforts is very encouraging," said Michelle Chia, Head of Professional Liability and Cyber for Zurich North America. "The survey results also tell us, however, that more work needs to be done to increase cyber resilience and we are committed to providing businesses the resilience strategies they need through education and support."

The survey results reveal gaps in mitigation efforts among respondents especially related to risk monitoring, employee training and vender risk assessment efforts.

Risk monitoring: Most risk managers taking the survey are not monitoring cyber threats to their organizations frequently enough. Thirty-two percent of respondents shared that they monitored for cyber threats monthly and 28 percent just quarterly. The report states that " today's fast-changing environment, even monthly threat assessments will leave organizations ill-prepared for both threat actors and their cyber insurance renewals."

Vendor risk assessment: At 52 percent, barely half of the survey respondents say vendor risk assessment is a part of their risk mitigation plans. Also, respondents categorized business interruption due to technology failures or supplier cyber disruptions only as a moderate concern on the list of their business continuity concerns. With cybercriminals increasingly leveraging third-party vendors to launch attacks on a broader scale, companies should be forewarned that vendor risk is not an area to ignore.

Employee education: Human error is a major factor in successful cyber security breaches. With cyber threats evolving daily, more frequent training opportunities that keep employees in the loop on threats and help them identify and thwart efforts by bad actors will be critical in minimizing cyber events. Yet only 17 percent of respondents indicate that their companies offer cyber security training on a monthly basis. Annual training is the most common response chosen at 30 percent of survey respondents, with 25 percent conducting employee cyber education on a quarterly basis.

This year is the first time the survey has featured questions on ransomware. Eighty percent of respondents say they feel very or moderately prepared to face a ransomware event. However, respondents also worry that no matter how much they prepare, it will not be enough to fully overcome a ransomware attack. A focus on business interruption persisted through the survey's ransomware section; and the "unknowns" of ransomware were apparent in the survey with one respondent adding, "While our cyber risk security efforts seem very robust, it's difficult to know what we don't know."

Other key findings of the 2021 survey include:

  • The hard cyber insurance market is hitting buyers on all fronts including retention, limits, price, and coverage. Respondent comments show significant worries about a "completely dislocated" market with triple-digit rate increases, shrinking coverages, and skepticism over whether insurers adequately analyze effective loss prevention measures.

  • Buyers' frustration with the cyber insurance market's policy wording varies from carrier to carrier, which makes it difficult for policy holders to compare solutions.

Considering the current state of the insurance market, risk managers will find pre-breach mitigation planning and excellent cyber security controls to be mandatory for underwriters. This year's survey highlights a few areas where risk managers may be lagging and where their insurance partners can offer education and support.

"This survey reveals that customers are concerned with the changing market and what it will mean to their renewal process," added Chia. "Risk managers are looking for coverage that protects their business at the right price and are also looking for solutions to mitigate their risk. With so many unknowns, they may find that the answers to business resilience are right in front of them in the form of risk mitigation."

For 11 consecutive years, Zurich North America and Advisen Ltd. have collaborated on this survey designed to gain insight into the current state of and ongoing trends in cyber risk management and insurance.

The results reflect the responses of nearly 400 respondents representing risk managers, insurance buyers and other risk professionals covering both large and small companies around the world. Finance, banking and insurance industries are the most highly represented. Other industries with significant representation included manufacturing, construction, professional services, educational institutions, healthcare and technology. Firms with between $1 billion and $10 billion in revenue comprised 30 percent. Large businesses with more than $10 billion in revenue represented 10 percent, but most respondents came from smaller and middle market companies (less than $1 billion in revenue) at 61 percent.

Interested parties can link to the complete survey results at

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights