Purchasing of cyber insurance by US risk managers increased yet again last year, driven by growing board recognition of cyber risk and a robust regulatory environment.
In contrast, purchasing of cyber insurance in the UK continues to lag, reflecting a developing regulatory environment and board attitudes to cyber. However, the introduction of mandatory notification requirements and higher penalties under the General Data Protection Regulation (GDPR) are likely to see organisations catch up.
US risk managers continue to show high levels of confidence in stand-alone cyber insurance policies, according to the 2017 Cyber Survey from RIMS, the US body representing risk managers. Of the 288 RIMS members surveyed, 83% said that they had a stand-alone cyber insurance policy. Almost three quarters (72%) said that they now transfer cyber exposures to a third-party.
The impressive levels of cyber insurance penetration among RIMS members reflects the importance these organisations now place on the complementary nature of insurance and risk management. It also reflects the more stringent data protection regulations that exist in the US, which include requirements to notify regulators and data owners of a breach.
In the UK, cyber insurance purchasing is growing but penetration levels remain much lower than those seen in the US. Only around half of UK companies currently buy cyber coverage, according to a survey of its members by Airmic, the UK equivalent of RIMS.
The PwC Global State of Information Security Survey 2017 puts that figure even lower, with just 38% of organisations buying relevant cyber insurance cover.
The lower levels of cyber insurance purchasing in the UK can be taken as a reflection of board attitudes to cyber risk. A recent government survey found that boards of FTSE 350 companies are still ill-equipped to deal with cyber risk.
According to the Cyber Governance Health Check Report 2017, almost one-third of boards (31%) said they do not receive comprehensive management information on cyber risk and only 43% said they have a clear understanding of their company’s key information and data assets. Over two-thirds (68%) said they have not received training to deal with a cyber incident.
In the US, boards appear to be giving more consideration to cyber risk. Analysis of financial disclosures in the first half of 2017 by Bloomberg showed a jump in cyber risk disclosures.
Some 436 companies cited cyber security as a risk factor in their Securities and Exchange Commission filings, compared to 403 companies in 2016 and 305 companies in 2015.
While boards are still coming to terms with cyber risk, the risk management community may be ahead of the curve, with growing interest in cyber risk governance and insurance.
In a recent paper, Airmic encourages risk managers to review the cyber insurance market, arguing that there has been a shift towards more relevant cover in the past year. The rapid development of the cyber insurance market has seen an increase in limits and a focus on first-party losses, as well as a move to the standardisation of covers across the market, making the purchasing process easier, Airmic said.
Airmic noted that cyber risk continues to feature in the top three risk concerns of Airmic members, but confidence in cyber risk management is low. Less than one-third of Airmic members said they are satisfied with their organisation’s ability to manage cyber risks.
The risk management organisation foresees a clear role for its members in understanding cyber risk at an enterprise level and supporting them in evaluating the insurance market and allied services.
A big driver for cyber risk and insurance in the coming years will be the GDPR, which will introduce regulatory breach notification requirements in the UK and the rest of the EU from May 2018.
Similar requirements, coupled with a number of high profile data breaches, have seen cyber insurance purchasing increase substantially in the US. According to RIMS, penetration rose from 51% in 2015 to 80% in 2016 while the number of organisations that transferred cyber exposure to a third-party increased from 58% in 2015 to 68% in 2016.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org