Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Buying into Cyber Insurance – Do You Need It?

The subject of cyber liability insurance has gained steam in recent years as news of high-profile data breaches continues to litter the headlines.

The subject of cyber liability insurance has gained steam in recent years as news of high-profile data breaches continues to litter the headlines.

Yet recent surveys show that businesses have not been as quick to adopt cyber insurance as some may have expected. A survey from Advisen of 500 people ranging from brokers to carriers to risk managers and insurance buyers underscored this reality. Eighty percent of the brokers surveyed noted that while there has been heightened interest in cyber coverage at the C-suite or board levels, that hasn’t translated into a significant driver of sales.  

“Seventy-three percent of respondents felt that the insured’s lack of understanding of the exposure was the main obstacle,” according to a whitepaper outlining the survey results. “One broker called the sales process, “an uphill battle”, with IT professionals unwilling to accept that their systems could be compromised.”

Almost half the respondents said that “less than 25 percent” of their clients were interested in the coverage, the research revealed. However, more than 25 percent of respondents said they have a sizeable customer base interested in buying cyber coverage.

Advertisement. Scroll to continue reading.

A survey from the Association for Financial Professionals (AFP) conducted earlier this month at the AFP Annual Conference found that just 15 percent of the 970 financial professionals surveyed said their companies have increased the amount of cyber insurance that they carry. Six percent said their companies are now carrying cyber insurance after not having done so in the past. Thirty-one percent however said their organization does not currently carry cyber insurance.

On the other end of the spectrum are Home Depot and Staples, both of which have cyber insurance and stated in recent filings with the U.S. Securities and Exchange Commission that they expect their coverage to mitigate the financial impact of the data breaches they experienced.

“Many companies are looking at investing in cyber insurance,” said Ira Scharf, Chief Strategy Officer at BitSight, a firm which assists companies in rating their cybersecurity. “As malicious cyber activity becomes even more pervasive companies are looking at ways to transfer some of their cyber risk. Cyber insurance provides an excellent mechanism for transferring some of the risk associated with cyber breaches.”

“Typically companies that collect and store personally-identifiable information (PII) or personal health information (PHI) on behalf of their customers or employees are most likely to sustain significant financial loss as a result of a cyber breach,” he said. “This is due in part to the notification laws that are in place in 47 states which require companies that lose PII or PHI due to a cyber breach to notify the affected customers or employees and the attorney general in each state where there are impacted residents. Cyber insurance typically covers notifications costs as well as forensics and other breach response costs. Some policies also cover third-party liability that can arise out of a cyber breach.”

Companies should assess how much PII or PHI they manage as they figure out their potential cyber exposure, he added.

Requirements and exclusions are the big things to look at, said David Monahan, senior analyst at Enterprise Management Associates, adding that companies also need to determine their risk level based on their overall attack surface and possible losses.

“Insurers have no magic wand to wave,” said Neohapsis Senior Security Consultant Nathaniel Couper-Noles. “They don’t know any better than the rest of us which product will have the next zero-day or what crypto algorithm will fall, or the next cyber-risk intensive trend will be. Internet of things, perhaps? Insurers have forecasts and actuaries but they don’t have crystal balls. Rising flood insurance costs for coastal properties is based on the science of rising sea levels, but there is yet no universally accepted or empirically validated science to guide to who will be hacked next. This means that either insurance companies will need to add significant margins, or they may potentially be at risk themselves of inability to pay out…in the event of a major cyber event.”

“I would recommend that most enterprises focus resources on risk reduction…before considering cyber security risk insurance,” Couper-Noles added. “I would recommend cyber insurance primarily to enterprises with mature security posture to address a minimal set of irreducible or difficult-to-reduce risks. It’s a ‘you must be this tall to ride’ thing.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.