The Ponemon Institute, a pre-eminent research center dedicated to privacy, data protection and information security policy, recently released its “2017 Cyber Risk Transfer Comparison Global Report,” which was sponsored by Aon. The report found that although organizations “believe their cyber assets are more valuable than plant, property and equipment assets, they are spending four times more in their budgets on insurance protecting the latter risks.” Ponemon surveyed 2,168 individuals in North America, Europe, the Middle East, Africa, Asia Pacific, Japan and Latin America who are involved in their company’s cyber risk management as well as enterprise risk management activities.
“This unique cyber study found a serious disconnect in risk management,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “What’s interesting is that the majority of companies cover plant, property and equipment losses, insuring an average of 59% and self-insuring 28%. Cyber is almost the opposite, as companies are insuring an average of 15% and self-insuring 59%.”
Indeed the study found that while the probability of any particular building burning down is significantly lower than 1%, most organizations spend much more on fire insurance premiums than on Cyber coverage, despite stating in their publicly disclosed documents that a majority of the organization’s value is attributed to intangible assets. To underscore this, the study cited the Yahoo-Verizon deal as an example. Verizon recently reduced its purchase price of Yahoo by $350 million because of the severity of cyber incidents at Yahoo in 2013 and 2014.
Moreover, 87% of the survey respondents believe cyber liability is in the top 10 business risks for their company, and 64% believe their companies’ exposures will increase over the next 24 months. However, only 24% say their company carries Cyber insurance. Additionally 46% of respondents reported a data breach in the last two years with the average financial impact costing $3.6 million. The most frequent type of incident was a system or business process failure that caused disruption to business operations, such as software updates or denial of service attacks. This is followed by cyber attacks that resulted in the misuse or theft of intellectual properties, for example, or negligence or mistakes that resulted in the loss of business confidential information.
Why aren’t more companies insuring against cyber threats in light of the risks? Part of the reason stems from the fact that there is low awareness of the economic and legal consequences from an international data breach or security exploit is low, says the study. Only 20% of respondents are fully aware of the consequences that could result from a data breach or security exploit in other countries in which their company operates, and 20% say they are not aware of the consequences. The survey also cites the following reasons for not purchasing Cyber Security insurance: premiums are too expensive (36%); coverage is inadequate based on their exposure (36%); property and casualty policies are sufficient (30%); and too many exclusions, restrictions and uninsurable risks (27%). These reasons show a clear need for further education about Cyber insurance and what coverages are indeed available, including the fact that cyber risks are not covered under standard property and liability policies. Interestingly enough, of those who do carry Cyber insurance, 63% of respondents believe their coverage is sufficient with respect to coverage terms and conditions, exclusions, retentions, limits, and insurance carrier financial security.
RPS provides comprehensive Cyber insurance solutions for a broad spectrum of industry sectors and would be happy to assist you with placing this must-have coverage for your insureds.
Source: Ponemon Institute