Surveys consistently show a steady rise in cyber insurance purchasing, but few companies are confident that they will be protected when it comes to a data breach or other cyber incident.
A recent survey of IT professionals, at 500 organisations across 11 countries, by FICO found that 76% of companies surveyed believe they have some level of cyber insurance, up from 62% last year. In the UK, the number of companies with cyber insurance was a surprising 90% (up from 29%) and in the US it was 75% (up from 49%).
It is worth noting that FICO does not specifically ask whether companies have dedicated cyber insurance. The extent to which a company will feel protected by insurance will depend on the scope of cover purchased, the buyer’s understanding of the risk and how their insurance might respond. For example, for some companies cyber is all about data breaches, but awareness is growing of other cyber risks, such as property damage and cyber related business interruption.
In the past, some companies believed that they were covered for data breaches and cyber incidents under traditional property and casualty policies. However, standard p/c policies often contain exclusions for cyber losses and where cover may exist it is likely to be limited. In addition, some p/c insurers offer cyber extensions (such as data breach cover for general liability insurance), while commercial combined insurance will increasingly offer some cyber. However, such coverages will not be as comprehensive as a standalone cyber insurance product.
This may be why FICO found that only half of those surveyed say their insurance covers them for all likely risks they could be insured for - only 38% of US companies and 37% of UK companies believe they have comprehensive cyber insurance. FICO suggests this may also be because companies feel it is not worth paying the extra money needed to cover all likely risk, or that some companies struggle to buy cover for some specific types of cyber risk.
DEDICATED CYBER COVER
Other surveys do seek to measure purchasing trends of dedicated cyber insurance, but results vary. As a general rule, large companies are more likely to purchase standalone cyber insurance than small companies. While US organisations are much more likely to buy cyber cover due to the maturity of the market, the higher cost of data breaches and their breach notification requirements.
Another study, this time from NTT Security, found that only 38% of respondents have a dedicated cyber insurance policy (down slightly from last year’s 40%), while 21% say that they are working towards getting one. In the US, 54% of respondents say they have a dedicated cyber insurance policy, while just 34% do so in Europe, the Middle East and Africa. Just 40% of respondents confirm that their insurance would cover them for both data loss and an information security breach.
The UK government’s 2018 Cyber Security Breaches Survey, which polled 1,500 UK companies, found that a quarter of large businesses now have a specific cyber insurance policy in place, but this falls back to just 9% for companies of all sizes. The 2017 RIMS Cyber Survey found that 83% of RIMS members (typically large companies) had a standalone cyber insurance policy. Of the organisations without a standalone cyber policy, 84% indicated that other insurance policies include some cyber liability coverage.
Surveys of cyber insurance buying offer only limited insight into the extent of cyber coverage. Yet they do reveal that companies are increasingly aware of cyber risk and are looking for insurance solutions. A survey of Airmic members, carried out in partnership with JLT Specialty earlier this year, found that risk managers have a strong desire to transfer cyber exposures to insurers, amid growing concern for technology related risks. Some 45% of those surveyed say transferring data breach risk to the insurance market was their preferred mitigation approach, compared with 41% who would prefer to reduce exposure.
These surveys also highlight the important role of specialist insurance advisors. Companies seeking comprehensive cyber insurance will need to identify their cyber exposures and quantify the impact on their business. By working with a specialist broker, it is then possible to identify where cover exists in existing p/c coverages and purchase standalone cyber insurance to plug gaps and address key exposures with appropriate limits.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org.
YOU MAY ALSO BE INTERESTED IN