Execs Say Cyber-Attacks a Top Threat: AIG Survey

Ulrich Baumgarten | Getty Images

The threat of a cyber attack tops the threat of losing money as the primary risk business executives are concerned about, according to a new survey sponsored by the insurance giant AIG.

Of the 258 executives surveyed by Penn Schoen Berland, 85 percent said they were very or somewhat concerned about cyber-attacks on their organizations — topping the 82 percent concerned about income loss, the 80 percent concerned about property damage and the 76 percent concerned about securities and investment risk.

"It's becoming a C-suite problem," said John Gambale, Head of Professional Liability & Lexington Financial Lines at AIG. "[The executives are] asking what information are we collecting? Who has access to that information? How is it being stored? Where is it being stored? Is that information on a laptop, and is that laptop leaving the building? Is it leaving the country?" (Read More: Businesses Facing Increasing Cyber Threats: Security Experts)

Cyber-attacks have been a growing threat for well over a decade now, impacting victims ranging from the Federal Reserve to the country's largest banks to the discount retailer T.J. Maxx. Companies most likely to be targets are those that collect important personal information like providers of financial services, health care, and higher education as well as e-tailers.

"Any entity with personal, identifiable information — anything that can be converted to money is at risk," said Michael DuBose, Managing Director, Cyber Investigations Practice at the security firm Kroll. He pointed out the top threat to corporate America continues to be from insiders stealing trade secrets and other data, and selling it to rivals or foreign countries, though cyber-attacks cannot be ignored.

"Hacking modality has changed," said DuBose. "You used to think of it more as a hit and run thing, a one session hack. Now it is more like a hack and stay."

DuBose said the hacker, via malware or malicious software, can now infiltrate a system and stay for months, monitoring data traffic and other information without being detected by the anti-virus scans employed by most corporations. (Read More: Pentagon in Major Expansion of Cybersecurity Force )

"As a result about 85 percent of the companies that experience a breach have to be told about it from a third party," said Dubose. "It is usually law enforcement or some other third party that tells them about the breach."

These breaches are costly and frequent. Symantec estimated the global cost of cyber-attacks in 2011 was $388 billion dollars in direct financial loss and the cost of recovering from the attacks. In its 2012 Data Breach Investigations Report telecom giant Verizon in 2011 found that 174 million records were compromised by cyber-attacks, the second highest since it started tracking data breaches in 2004.

Still, the executives surveyed by AIG are less concerned with the financial cost of an attack, than with the reputational damage an attack might cause, said Gambale. He pointed out keeping their clients information safe is critical to what many corporations do. If a data breach causes a firm to lose the trust of their clients, they lose their clients' business.

Since 1999, AIG's been in the business of insuring against these attacks. Gambale estimated cyber insurance is now a $500 million to $600 million business — one some estimate could reach a billion dollars in a few years. (Read More: How to Protect Your Devices From New Hack Threat)

Like the attacks themselves, the business of insuring against them have changed. In the past AIG provided services after a breach, including a breach coach, forensic assistance in tracing the breach, credit monitoring and notification services to clients. Today, its sells a product called CyberEdge.

CyberEdge provides proactive protection by putting additional software outside a firm's firewall to prevent globally known "bad" IP addresses from getting through that firewall. It is a product Gambale believes is for any firm, large or small.

"I believe it's for everyone," he said. "If you're handling that personal identifiable information you're held to the same laws, the same standards, the same statutes as a billion dollar company, a government, a newspaper that is handling that information as well."

Kroll works with AIG in providing forensic services to the insurer's clients after a breach has happened. DuBose said cyber insurance is a good thing for firms, as it provides a remedial infrastructure that they may not develop on their own. (Read More: Former US Spy Warns on Cybersecurity )

But there are other things companies need to do.

"They need to do a network health security check," DuBose said. He recommended having an independent party assess and test a systems vulnerability, and security protocols.

"We've done hundreds of these at Kroll and there's never not been a network where security couldn't be significantly improved," he said.

Firms should also elevate oversight of IT security to the C-suite, said DuBose. He acknowledged executives are concerned about cyber attacks but it is important to have someone in a decision making role in charge of guarding against them. Too many firms, he said, rely on their IT group to monitor against these attacks, even though most of these departments are not skilled in this area.

Lastly, firms need to include how they would respond to an attack in their crisis response plans. As he said, and as the executives surveyed by AIG pointed out, the longer it takes to deal with a cyber-attack, the greater financial and reputational cost to a company.

-By CNBC's Mary Thompson; Follow her on Twitter @MThompsonCNBC