Ponemon’s Cyber Insurance Study Finds Companies Neglecting Coverage

The challenges of managing corporate risk - whether through the growth of formal “GRC” (governance, risk management and compliance) programs or through contractual liability transfers – increase each year. However, a recent Ponemon Institute study, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, released Aug. 7, 2013 (available here: http://www.experian.com/managingcybersecurity)(the “Study”) reveals that companies have neglected sourcing cyber security insurance, even though ranking cyber security risks as either an equal or worse financial threat than natural disasters and other major traditional business risks. According to the Study, only 31 percent of the risk management professionals at the companies surveyed report having “cyber risk” insurance coverage in place today, despite the fact that (as detailed in a different Ponemon study, the 2013 Cost of Data Breach Study) the average cost per each lost or stolen data record was $188 in 2012 and the average financial impact per security incident totaled $9.4 million – a potentially crippling or fatal sum for small to medium-sized businesses, and one that can, obviously, vary greatly depending on the amount of data affected, the sensitivity of data content and response handling effectiveness.

Some of the Study’s findings, which include notable positive trends, are:

  • Overall concerns about cyber risks and the financial and other impacts have spread beyond corporate IT. Thankfully.
  • Among study respondents without cyber insurance, 57% indicated an intent to obtain coverage in the future, while 70% (not surprisingly) became interested in investigating cyber insurance after experiencing a data security incident.
  • Premium costs, range of exclusions, restrictions and defined uninsurable risks were the top reasons for not purchasing cyber security insurance (although 62% of those who have obtained coverage believed premiums were “fair” given the nature of the risks involved).
  • A majority of companies believe that their “security posture” overall is strengthened after obtaining cyber risk insurance, in part due to the assessments and other required steps underwriters require as part of policy issuance.
  • A large number of respondents rated insurer responsiveness to data incident claims as either very good or excellent.
  • Primary purchasing evaluation and decision making in selecting and obtaining cyber risk policies is typically handled, according to the Study, by risk management teams, compliance leaders or the CSO/CISO - with secondary input from general counsels, CFOs and other C-Level or business unit executives.
  • General agreement that cyber risk policies typically cover the “most common and costly incidents”, which the study detailed as including human error, negligence, external attacks, system/BP failures and insider acts and omissions. Notably, however, only 11% of respondents stated their coverage protects against “attacks against business partners, vendors or other third parties that have access to the company’s information assets” – a crucial issue to consider in drafting and negotiating any IT-related services agreement.
  • Significantly, the majority of policies held by respondents now cover notification costs to data breach victims, legal defense costs and forensics and investigative costs. 46% reported their policy also includes coverage for regulatory penalties and fines. Much less common were coverage for brand/reputational damage control costs, employee productivity losses, third-party liability or revenue losses.

Although perceived as a “niche” product a few years ago, cyber risk insurance is clearly increasingly perceived as coming into its own as one important arrow in the risk management quiver. The Ponemon Study reveals interesting developments and trends in the cyber risk market and should provide companies still on the cyber risk insurance fence with thought provoking information to consider.

To discuss the Study, cyber risk insurance or risk management programs feel free to contact me or any of the attorneys here at the InfoLaw Group, LLP.