Cybersecurity Insurance: Smart Investment?
A study conducted for Hiscox shows that, out of 3,000 companies in the U.S., UK and Germany, slightly more than half (53 percent) of these organizations are not prepared to effectively handle a cyber-attack. It is concluded in the study that U.S.-based companies not only outrank the others regarding key aspects like planning, strategy, resourcing and process, but they are also the most heavily targeted for cyberattacks.
The Hiscox Cyber Readiness Report 2017 depicts that U.S. companies are the most likely to have experienced an attack as 72 percent of larger businesses have reported at least one cyber incident from this past year. It is shown in the report that larger U.S. companies deal with cyber-attacks that, on average, cost up to $102,000, significantly lower than figures that make the headlines. Still, the average cost is expensive. Cyberattack incidents are on the rise, therefore it comes as no surprise that investing in cybersecurity is steadily becoming more significant to these enterprises.
Following numerous recent data breaches, a great deal about cyber liability insurance has been published. Due to many companies being unsure of how to approach the topic of cybersecurity, several questions pertaining to cyber insurance are still present in the corporate world. Companies with existing insurance could possibly be unsure of whether or not investing specifically in cyber insurance is a necessity.
“If companies are looking for real risk transfer, they’re going to want to buy a dedicated policy for multiple reasons. Other policies are either specifically excluding cyber-type triggers or events, or it is seen that the type of coverage is limited or nonexistent,” says Laurie Schwarz, Senior Vice President of Lockton Insurance Brokers, LLC, a member of San Diego’s Cyber Center of Excellence (CCOE).
In order to cover all aspects of data exposure and possible breaches, companies should have a strong understanding of how their respective cyber insurance mitigates cyber risk. The report notes the possibility of confusion with regard to what cyber insurance covers exactly due to the complicated nature of insurance policies.
“There is a great expression: if you’ve read one cyber policy, then you’ve read one cyber policy… Cyber policies can cover multiple things, and it depends on the organization, the need and the carrier in terms of what it can provide,” Schwarz explains.
Given the numerous aspects of insurance coverage, it is a common assumption that buying insurance is a difficult process. According to the Hiscox Report, firms must have a comprehensive cybersecurity plan in order to forgo the difficulty in determining where spending should go. The organization in itself determines if the process can be deemed straightforward or challenging.
“It’s a matter of going through the process and seeing what companies options, coverages and costs are…Once upon a time, there may have been a perception that buying coverage was challenging, but I would say, with advice and a good broker, it’s their job to lead you through the experience in that you know what the process is going to be without any major surprises along the way,” says Schwarz.
According to the report, a common practice among companies is to transfer the cyber risk to an insurer. Thus insurers are expected to provide trustworthy policies and clarity to an otherwise complicated subject along with ensuring that every aspect of exposure is covered. These seemingly heavy responsibilities are welcomed among most insurers. “You’re being able to bring some certainty and quantification to an otherwise unknown or uncertain situation,” says Schwarz.
The benefits to be gained from cyber insurance depend directly on companies understanding their vast information that is exposed to employees and the public. Regarding the provision of insurance, the result will be better if companies have a strong comprehension of their exposures. U.S. companies and the cyber insurance industry altogether must improve communication as both have the similar goal of further managing and understanding cyber risk.