The subject of cyber liability insurance has gained steam in recent years as news of high-profile data breaches continues to litter the headlines.
Yet recent surveys show that businesses have not been as quick to adopt cyber insurance as some may have expected. A survey from Advisen of 500 people ranging from brokers to carriers to risk managers and insurance buyers underscored this reality. Eighty percent of the brokers surveyed noted that while there has been heightened interest in cyber coverage at the C-suite or board levels, that hasn’t translated into a significant driver of sales.
“Seventy-three percent of respondents felt that the insured’s lack of understanding of the exposure was the main obstacle,” according to a whitepaper outlining the survey results. “One broker called the sales process, “an uphill battle”, with IT professionals unwilling to accept that their systems could be compromised.”
Almost half the respondents said that “less than 25 percent” of their clients were interested in the coverage, the research revealed. However, more than 25 percent of respondents said they have a sizeable customer base interested in buying cyber coverage.
A survey from the Association for Financial Professionals (AFP) conducted earlier this month at the AFP Annual Conference found that just 15 percent of the 970 financial professionals surveyed said their companies have increased the amount of cyber insurance that they carry. Six percent said their companies are now carrying cyber insurance after not having done so in the past. Thirty-one percent however said their organization does not currently carry cyber insurance.
On the other end of the spectrum are Home Depot and Staples, both of which have cyber insurance and stated in recent filings with the U.S. Securities and Exchange Commission that they expect their coverage to mitigate the financial impact of the data breaches they experienced.
“Many companies are looking at investing in cyber insurance,” said Ira Scharf, Chief Strategy Officer at BitSight, a firm which assists companies in rating their cybersecurity. “As malicious cyber activity becomes even more pervasive companies are looking at ways to transfer some of their cyber risk. Cyber insurance provides an excellent mechanism for transferring some of the risk associated with cyber breaches.”
“Typically companies that collect and store personally-identifiable information (PII) or personal health information (PHI) on behalf of their customers or employees are most likely to sustain significant financial loss as a result of a cyber breach,” he said. “This is due in part to the notification laws that are in place in 47 states which require companies that lose PII or PHI due to a cyber breach to notify the affected customers or employees and the attorney general in each state where there are impacted residents. Cyber insurance typically covers notifications costs as well as forensics and other breach response costs. Some policies also cover third-party liability that can arise out of a cyber breach.”
Companies should assess how much PII or PHI they manage as they figure out their potential cyber exposure, he added.
Requirements and exclusions are the big things to look at, said David Monahan, senior analyst at Enterprise Management Associates, adding that companies also need to determine their risk level based on their overall attack surface and possible losses.
“Insurers have no magic wand to wave,” said Neohapsis Senior Security Consultant Nathaniel Couper-Noles. “They don’t know any better than the rest of us which product will have the next zero-day or what crypto algorithm will fall, or the next cyber-risk intensive trend will be. Internet of things, perhaps? Insurers have forecasts and actuaries but they don’t have crystal balls. Rising flood insurance costs for coastal properties is based on the science of rising sea levels, but there is yet no universally accepted or empirically validated science to guide to who will be hacked next. This means that either insurance companies will need to add significant margins, or they may potentially be at risk themselves of inability to pay out…in the event of a major cyber event.”
“I would recommend that most enterprises focus resources on risk reduction…before considering cyber security risk insurance,” Couper-Noles added. “I would recommend cyber insurance primarily to enterprises with mature security posture to address a minimal set of irreducible or difficult-to-reduce risks. It’s a ‘you must be this tall to ride’ thing.”