IT Security

Cyber insurance report

by Mark Rowe

While a majority of global organisations say that it is ‘vital’ their organisation is insured against information security breaches, less than half (41 per cent) are fully covered for both security breaches and data loss and just over a third have dedicated cybersecurity insurance. This is according to the 2016 Risk:Value report looking at attitudes to cybersecurity and risk from NTT Com Security, an information security and risk management company.

Research among 1000 non-IT business decision makers in organisations in the UK, US, Germany, France, Sweden, Norway and Switzerland reveals that one in ten (12 per cent) have no insurance cover at all for either eventuality. This is despite most business decision makers admitting that there is an increased cyber security threat, and that the cost of recovering from such an attack could start from around $1 million (£1.2m in the UK).

While cyber liability insurance has become increasingly popular and can include cover for data and privacy breaches, extortion liability and network security liability, only 35 per cent of businesses currently see the need to take a policy out, although a further 43 per cent are getting one or thinking about it. Businesses in the US are most likely to have this type of insurance – 51 per cent compared to just 26 per cent in the UK. Notably, wholesale organisations (43 per cent) are most likely to take out dedicated cyber insurance, together with business/professional services (43 per cent) and utilities companies (39 per cent). Fewer than half (46 per cent) of those respondents whose organisation has company insurance that covers data loss or a breach, expect it to cover legal costs. Fewer expect it to cover regulatory fines (43 per cent), government fines (41 per cent) and remediation (41 per cent). Covering loss of business and loss of IP (intellectual property) is even less likely, according to the report, at just 25 per cent.

When it comes to the validity of insurance cover, half of respondents cite that lack of compliance with necessary security criteria could invalidate their insurance, while 46 per cent feel that not complying with business policies could be a problem, and 43 per cent point to the lack of an incident response plan.

Garry Sidaway, SVP Security Strategy & Alliances, NTT Com Security, says: “Faced with risks every day, it’s easy for organisations to look for quick-fix solutions rather than focusing on building a solid security and risk management strategy. Rather than relying solely on an insurance policy to cover losses, businesses need a different game plan. Buy insurance by all means, but ensure that you can demonstrate that you have put controls in place to reduce your risks, and, what these controls cover – this way you know what is being insured. Being able to demonstrate that these controls are being tested and monitored is essential. Insurers need to know what they are insuring and the controls put in place to protect assets – this is the only way they can agree on cover.

“Security needs to be embedded into the culture of an organisation, from top to bottom, championed by the CEO, designed and executed by the CISO and communicated effectively so that every employee takes responsibility for ensuring that good practices are followed.”

Cyber insurance is a potentially huge market, and annual gross written premiums are estimated to grow from around $2.5 billion in 2015 to reach $7.5 billion by the end of the decade, according to “Insurance 2020 & beyond: Reaping the dividends of cyber resilience”, a report by audit firm PwC.

The NTT Risk:Value report also suggests that only around half (52 per cent) of businesses have a full information security policy, while less than half (49 per cent) have a disaster recovery plan in place. The Risk:Value 2016 Executive Summary report can be downloaded here.

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing