Not enough buying Cyber Risk Insurance
Nearly three in four corporate risk managers are not buying insurance policies to cover data breaches and damage to customers’ privacy despite the rising threat of hacking, according to a recent survey.
In the USA, companies are largely ignoring the cover. According to consultants Towers Watson in their annual review of corporate risk, those who are taking out “cyberinsurance” are buying policies with only limited protection in case of an attack.
The Towers Watson survey was conducted in February and March 2012, covering companies across industries. The majority of them have annual revenue in excess of $1 billion.
Insurance brokers reported last year (2011) that interest was increasing from Business for cover to protect against civil suits and regulatory fines from data breaches following high profile attacks on companies like Sony and Citigroup.
That, in turn, led a number of insurers to start offering policies, which had an immediate downward effect on rates as capacity exceeded demand.
But the Towers Watson survey indicates that interest is not converting into actual business — 72 percent of the 153 risk managers surveyed said they were not buying a policy at all.
Of those not taking coverage, two-thirds gave reasons such as their internal controls were adequate or because they did not have a significant data exposure. Fewer than half said they conducted regular “penetration tests” to assess the adequacy of their network.
The Ponemon Institute found the median cost of such crimes to an organization was $5.9 million, in its annual study on the cost of cybercrimes in 2011. (The same study found attacks had risen 44 percent from a year earlier).
Cyber-insurance can be bought as “stand alone” cover or as part of Management Liability, Commercial Crime or Multi-media Liability policies. They seek to cover claims made by the Insured’s customers whose accounts have been hacked. This can either cause private information to be released or misused, including theft of cash assets. Then there are also the additional increased costs such as notification letters sent to affected customers and statutory fines and penalties associated with data breaches.
These policies will also carry all sorts of exclusions that seek to put the onus on the policy holder. Some exclude coverage for any incident that involves an unencrypted laptop. Others have conditions that say coverage can be voided if regular software updates are not downloaded, or if employees do not change their passwords periodically.
This is an increasing emerging risk that needs to be managed effectively. If such an interruption to your business can severely damage your income or reputation, then Cyber-risk insurance should be considered. Speak to an expert in this area.
Speak to CPR Insurance Services, experts who will save you!