According to the 2016 Internal Audit Capabilities and Needs Survey conducted by consulting firm Pritivit, 73% of organizations now include cyber-security risk in their internal audits, a 20% increase from last year. The survey also found that top-performing organizations have better cyber-risk addressing capabilities, especially those whose boards of directors have high levels of engagement in information security risks, which is a campaign the insurance industry has been backing for a long time now.
In the past decade, cyber-security has evolved from an IT risk to boardroom level risk, with 57% of organizations having received inquiries from customers, clients, and insurers about their cyber-security status.
According to the survey, 92% of organizations with a high level of board engagement in information security risks implement a cyber-security risk plan, compared to only 77% of those without a high-level of board engagement. Meanwhile, 83% of companies that include cyber-security risk in the annual audit plan have a cyber-security risk policy, versus 53% that do not include cyber-security risk.
Over 1,300 internal audit practitioners, including more than 150 chief audit executives and mostly from North America, participated in the survey, which is in its tenth year.
A more interconnected world is more exposed to cyber-security risks, so companies need to make cyber-security a high priority in their plans. That includes having a cyber-security insurance policy in place to deal with any risks such as malware and cyber-attacks, such as information theft and extortion, especially for data-sensitive businesses.
Cyber-security risk is now an integral part in many companies annual audit plans, with over 70% of organizations including cyber-security risk in their internal audits.