Cyber security risks have become more worrisome to large organizations than traditional natural catastrophe risks, according to a new study released today.
The study, titled “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age” and conducted by Experian Data Breach Resolution and the Ponemon Institute, reported that 41 percent of large businesses (those with 500-plus employees) believe cyber security risks are greater than other insurable business risks such as natural disasters, business interruption and fires. Another 35 percent of respondents said cyber security risks are equal to other insurable business risks.
Despite growing concerns over cyber security, the study also found that less than one-third of respondents (31 percent) have purchased cyber insurance coverage, according to the study,
However, those firms that do not currently have insurance coverage – more than half of all survey respondents (57 percent) – indicated they plan to purchase cyber security coverage in the near future.
The survey predicts 50 percent growth in policies purchased in the next year, with more than 100 percent growth within the next two years.
“We are reaching a tipping point where the majority of companies we surveyed now rank cyber security risks as high as other major insurable business risks,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “We anticipate that demand for cyber security insurance is likely to increase in response to evolving breach response policies.”
The cost potential of a future data breach is a primary driver when it comes to purchasing cyber insurance, according to the survey. Many companies realize that security incidents create significant financial risks that must be managed like other major business risks.
Among those companies that had an incident in the past 24 months, 70 percent of respondents said the experience increased their interest in these policies.
Of the 56 percent of respondents that had breaches, the average cost of these incidents was reported at $9.4 million in the last 24 months.
However, those costs are only a fraction of the average maximum financial exposure that the companies surveyed (breached or not) believe they could suffer because of cyber incidents. Respondents quantified the average potential maximum financial risk of a data breach at $163 million, with some projecting more than $500 million in damages.
Thirty percent noted they do not plan on purchasing cyber insurance. For those firms that chose to go without coverage, 43 percent indicated that it is because of the cost and too many exclusions, restrictions and uninsurable risks.
Of those with the insurance, 62 percent believe the premiums are fair given the nature of the risk.
The study also found that those organizations with cyber insurance felt largely satisfied by the protection the coverage provides. They also indicated satisfaction with the added benefits that come with securing the coverage.
“Going through the process of evaluating cyber insurance for their company, 62 percent of the people said that they felt like their company was in a better state of readiness because of going through the process of evaluating cyber insurance, which means that just the preparation and awareness help to improve their level of capability for an incident response for a data breach,” said Bruemmer.
Of those with a policy, 30 percent have experienced an exploit or a data breach and submitted a claim. Nearly all were happy with their providers’ responses to the claim (95 percent good – excellent).
Access to other resources that often are provided by the cyber insurer (forensics, notification, etc.) helped manage the overall security risk, the respondents said. Most policies provide benefits for forensics and investigative costs (64 percent), notification costs to data breach victims (86 percent) and legal defense costs (73 percent).
The interest and adoption of cyber insurance policies as a means to mitigate cyber security risk will grow, researchers say. “Companies worry about the financial impact following a data breach,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Cyber insurance could be an important part of a risk management strategy to protect against potentially severe financial losses.”
To access the full report, “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age”, visit http://www.experian.com/managingcybersecurity.