Experian Data Breach Resolution and the Ponemon Institute released a new study today that shows that companies now rank cyber security risks as greater than natural disasters and other major business risks. While only 31 percent of companies are insured today, there are a growing number of companies exploring policies. This indicates a larger appetite for financial protection in the wake of a breach. The report, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, is one of the first to examine corporate adoption and attitudes about the rapidly evolving cyber security insurance market and how companies are managing the potential financial damage of breaches. Respondents include senior privacy and compliance professionals involved in evaluating cyber insurance policies and corporate risk management. The top industries represented are retail, public sector, health and pharmaceuticals, and financial services.
Companies surveyed acknowledged the potential financial impact associated with security breaches. Of the 56 percent that had breaches, they reported an average cost of these incidents as $9.4 million in the last 24 months. However, these costs are only a fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to cyber incidents.
"We are reaching a tipping point where the majority of companies we surveyed now rank cyber security risks as high as other major insurable business risks," said Michael Bruemmer, vice president at Experian Data Breach Resolution. "We anticipate that demand for cyber security insurance is likely to increase in response to evolving breach response policies."
Key findings include the following:
Data breaches impact more than IT teams
With the rapid increase in the threat landscape and the number of data breaches, concerns over how to manage them have moved beyond corporate IT teams to other major parts of organizations. Many companies realize that security incidents create significant financial risks that must be managed like other major business risks. In fact, respondents quantified the average potential maximum financial risk of a data breach at $163 million, with some projecting more than $500 million in damages.
- Security exploits are greater than or equal to a natural disaster, business interruption, fire, etc., according to 76 percent of respondents.
- On average, respondents say there is a nine percent likelihood that their company will experience the predicted maximum financial impact during a data breach. This is a small but significant number when compared with other areas that are regularly insured.
Cyber insurance is becoming a key consideration to mitigate fallout
Most companies are increasingly looking to cyber insurance as part of the solution for managing the risk posed by security incidents to accompany technical protections. Not surprisingly, the study found that the likelihood of a company considering a policy increases after experiencing an incident.
- Thirty-one percent of companies report current cyber insurance coverage, and survey results show growth on the horizon. In fact, 39 percent of respondents say their organization plans to purchase a policy.
- Additionally, more than half with a policy believe it is an essential part of their companies' risk management programs.
Those with cyber insurance are largely satisfied by the protection it provides. However, even more interesting are the added benefits for the company's security preparedness and its access to other resources (forensics, notification, etc.) to help manage security.
- Sixty-two percent found that the process of evaluating cyber insurance policies improves the company's cyber security preparedness and readiness.
- Of those with a policy, 30 percent have experienced an exploit or a data breach and submitted a claim. Nearly all were happy with their providers' responses to the claim (95 percent good - excellent).
- Most policies provide benefits for forensics and investigative costs (64 percent), notification costs to data breach victims (86 percent) and legal defense costs (73 percent).
Still skeptics among the crowd
Despite the increased interest in cyber insurance, there are some companies that still are skeptical about policies and restrictions. Thirty percent noted they do not plan on purchasing cyber insurance.
- Those without a policy noted that price is a roadblock for purchasing. Respondents also said that policy conditions that include excessive exclusions, restrictions and uninsurable risks inhibit their organization from purchasing a policy.
- However, of those with insurance, 62 percent believe the premiums are fair given the nature of the risk.
The evolution of how to prepare for and manage security exploits will continue to advance. The study indicates more and more interest and adoption of cyber insurance policies as a means to mitigate the impact of an exploit.
"Companies worry about the financial impact following a data breach," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "Cyber insurance could be an important part of a risk management strategy to protect against potentially severe financial losses."
Search here for cyber insurance domains.