Companies have neglected to source cyber security insurance, although security officials rank cyber security risks as either an equal or worse financial threat than natural disasters and other major traditional business risks, according to a recent Ponemon Institute study, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age.
Only 31 percent of risk management professionals at the companies surveyed report having “cyber risk” insurance coverage in place, despite the fact that the average cost per lost or stolen data record was $188 in 2012 and the average financial impact per incident totaled $9.4 million. This cost can vary, of course, based on the amount of data affected, the sensitivity of said data and response handling effectiveness, an article from Info Law Group says.
Additional findings from the Ponemon study include:
- Overall concerns about cyber risks and their potential financial impacts have spread beyond the IT department.
- Among respondents without cyber insurance, 57 percent indicated intent to obtain coverage in the future. Seventy percent became interested after experiencing a data security incident.
- Premium costs, range of exclusions, restrictions and defined uninsurable risks were the top reasons for not purchasing cyber security insurance. However, among those who have obtained coverage, 62 percent believe the premiums were fair given the nature of the risks involved.
- A majority of companies believe that their security posture has been strengthened after obtaining cyber insurance, in part due to assessments required as part of policy issuance.
- A large number of respondents noted that insurer responsiveness to data incident claims as very good or excellent.
- Primary purchasing power is typically handled by risk management teams, compliance leaders or the CSO/CISO. Secondary input comes from general counsels, CFOs and other C-Level executives.
- Cyber risk policies typically cover the “most common and costly incidents” – human error, negligence, external attacks, system/BP failure and insider attacks and omissions. Only 11 percent of respondents said that their coverage protects against attacks against business partners or other third parties with access to the company’s information assets.
- The majority of policies held by respondents now cover notification costs to data breach victims, legal defense costs and forensics and investigative costs.