Half Of US Firms Do Not Buy Cyber Insurance

A full 50 percent of US firms do not have cyber risk insurance and 27 percent of US executives say their firms have no plans to take out cyber insurance, even though 61 percent of them expect cyber breaches to increase in the next year.

Even among those that have insurance, only 16 percent said they have cyber-security insurance that covers all risks.

The US lags behind the UK and Canada, where about 40 percent have no cyber coverage. Mistrust about insurance pricing is one reason some firms aren’t buying.

These findings come from a survey conducted by research firm Ovum for Silicon Valley analytics firm FICO. The researchers conducted telephone interviews with 350 c-suite executives and senior security officers from financial services, telecommunications, healthcare, retail, e-commerce and media service providers. The respondents represented various size companies: 30 percent had 500 to 1,000 employees; 28 percent had 1,001 up to 4,999; 17 percent had 5,000 up to 9,999, and 25 percent had more than 10,000.

In the US, the healthcare industry is particularly behind on fully protecting itself with cyber insurance, according to the survey. None of the healthcare firms represented in the survey have insurance that covers all risk, while 74 percent have none at all.

“With so many firms concerned about a rise in the likelihood of cyber breaches in the next year, it’s troubling to see that half of them don’t have any cybersecurity insurance protection,” said Bob Shiflet, who oversees fraud and financial crime solutions at FICO.

“There are steps the insurance industry can take to make guidelines clearer and explain premium adjustments, but companies need to be willing to dedicate the resources required to protect themselves from the breaches they themselves see as likely, if not inevitable.”

The authors identify the cost and lack of clarity about insurance pricing as an obstacle to increased sales. Only 25 percent of survey respondents believe that premiums provide a genuine reflection of the risk profile of their organisation. Only 23 percent believe that the insurance industry is clear and transparent in its approaches to pricing.

US executives identified several ways the risk assessment process that insurers use could be improved. Twenty-nine percent say that insurers should provide clear guidelines about how premiums are chosen, 28 percent would like clearer communications as to why premium adjustments happen and 23 percent would like insurers to introduce an industry standard for benchmarking cyber risk.

Related Reports

Other reports have looked at why some companies are not buying cyber coverage.

A cyber readiness survey released in February by specialist insurer Hiscox suggested that momentum is building behind cyber insurance. In its survey, overall 55 percent of US firms said they had taken out cyber insurance. Hiscox analysts said its higher take-up figures may partly reflect confusion over what exactly constitutes cyber coverage with some companies believing they are protected under their existing policies.

In the Hiscox survey, among the firms that had not bought cyber cover – 26 percent of the survey sample – and do not plan to do so, two in five (41 percent) of them said “a cyber insurance policy is not relevant for me.”

More than one in six (17 percent) of those that have no plans to take out cyber insurance agreed with the statement: “Cyber insurance policies are so complicated, I don’t understand what cyber insurance would cover me for.”

A report published by Deloitte consultants suggested buyers often don’t understand cyber risks or insurance options and also cited a lack of standardization of cyber policies.

“Similar cyber insurance products offered by different providers often include alternative features, which makes it difficult for buyers to compare policies by value and price,” according to the report. Concerned about potential coverage gaps, businesses want to avoid buying coverage they don’t fully understand with language that may be subject to interpretation, the report said.

The Deloitte report recommended steps the industry could take to overcome buying obstacles including standardising policy language, developing a “risk-informed model” rather than a definitive predictive model for cyber risks, employing more targeted underwriting by industry or exposure, and offering more holistic cyber risk management programs.

Not a Big Deal

Yet another report, this one by the nonprofit RAND Corp., hints at another reason not all companies see cyber insurance or further investment in cyber-security as a good investment. The typical cost of a breach is about $200,000 and most cyber events cost companies less than 0.4 percent of their annual revenues, the study found. The $200,000 cost is roughly equivalent to a typical company’s annual information security budget.

“Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think,” said Sasha Romanosky, author of the study and a policy researcher at RAND. “It may be bad for you if you are the victim, but it doesn’t change the behavior or strategy of a company. Like you and me, companies are self-interested and operate in ways that minimize their costs. You can’t begrudge them for working that way.”

The RAND study ‘s cost estimate is a lot less than the estimate in a May 2014 report by the Ponemon Institute at the University of Michigan. The Ponemon report put a $3.5 million price tag on an individual data breach. Ponemon surveyed 314 companies in 10 countries. The RAND study, which is published in the Journal of Cybersecurity, is based on a private dataset of 12,000 cyber incidents compiled by Advisen.

For more Information and a free Report please contact: Cyber Security Intelligence.com

Insurance Journal

You Might Also Read:

Insurance: How Cyber Risks Are Evolving:

Are Corporate Cyber Defenses Adequate?:

Advice For Cyber Insurance Buyers:

 

 

« Reinventing Cold War Spy Craft
Find Your Digital Risk »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CompliancePoint

CompliancePoint

We design and implement strategies, processes & procedures to mitigate risk, reach compliance goals, protect data assets, and meet industry standards.

Center for Strategic Cyberspace & International Studies (CSCIS)

Center for Strategic Cyberspace & International Studies (CSCIS)

CSCIS seeks to advance global cyberspace security and prosperity by providing strategic insights for cyberspace and policy solutions to decision makers.

Iceberg

Iceberg

Iceberg has been established to provide companies with cyber security experts who will protect businesses from the unseen threat of cyber crime.

CLDigital

CLDigital

CLDigital's no-code risk and resilience platform, CL360, provides leaders with risk and resilience data to make strategic and tactical continuity decisions.

Matrix42

Matrix42

Matrix42 software for digital workspace experience manages devices, applications, processes and services simple, secure and compliant.

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71)

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71)

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71) is Singapore's first cybersecurity entrepreneur hub.

Secure Digital Solutions (SDS)

Secure Digital Solutions (SDS)

Secure Digital Solutions is a leading consulting firm in the business of information security providing cyber security program strategy, enterprise risk and compliance, and data privacy.

LoughTec

LoughTec

LoughTec secure, manage and connect IT infrastructure for businesses and organisations throughout the UK and Republic of Ireland.

Gunnison Consulting Group

Gunnison Consulting Group

Gunnison Consulting Group serves the Federal Government with high quality IT consulting services.

Aite-Novarica Group

Aite-Novarica Group

Aite-Novarica's Cybersecurity practice provides ongoing research and advisory services to chief information security officers focused on protecting their companies’ assets.

Quantum Ventura

Quantum Ventura

Quantum Ventura is a technology innovation company with a single mission of delivering customer-centric advanced solutions to US Federal & State Governments and Private Sector customers.

Whitaker Brothers

Whitaker Brothers

Whitaker Brothers data destruction equipment can be found in 115 countries and every single continent in the world, from major military organizations to small offices.

Allot

Allot

Allot are a global provider of leading innovative network intelligence and security solutions for Service Providers and Enterprises worldwide.

Judy Security

Judy Security

Judy provides smart, simple, effective, all-in-one cybersecurity for SMBs. Get the 24/7 protection and support you deserve, at a price you can afford.

Lasso Security

Lasso Security

Lasso Security is a pioneer cybersecurity company ensuring comprehensive protection for businesses leveraging generative AI and other large language model technologies.

Custocy

Custocy

Custocy is a unique collaborative AI technology that identifies sophisticated and unknown (zero-day) attacks.