(Risky) Businesses face millions in cyber losses – even with insurance
By Amy Elizabeth Stewart
It’s clear that businesses are aware of the risks posed by cyber breaches, given the growth of the cybersecurity industry and the growing number and variety of insurance products available to help companies recover from cyber attacks.
Still, there’s plenty of room for growth, according to a recent report titled "The Cybersecurity Risk to Knowledge Assets,” a joint effort of the law firm Kilpatrick Townsend, and Ponemon Institute LLC. The bulk of the 35-page report is devoted to the potential loss of “knowledge assets” (i.e. trade secrets and other confidential information) in a cyber breach, but it also includes some interesting notes for those of us who follow the cyber insurance world.
According to the report, 60 percent of businesses surveyed either have cyber insurance (29 percent) or plan to get it within the next year (31 percent).
What is surprising, though, is this finding: “Companies with cyber insurance report on average that only 35 percent of losses involving knowledge assets are covered” (emphasis added).
With the average cost of a cyber breach in the $4 million to $5 million range (according to different sources), that means even companies with cyber coverage are potentially exposed to $2.6 million to $3.25 million in losses per attack.
Why do policyholders only have coverage for about a third of their potential losses? The report doesn’t say, but there are a few possibilities, according to Paul King, Cyber Practice Leader at the insurance brokerage and consulting firm USI:
- Risk Management usually does not have a clear idea what IT is holding as far as value/impact in a breach event; and
- A large percentage of risk managers, especially in the middle market space, aren’t aware of what is fully available in the wildly non-uniform cyber marketplace.
One thing that’s probably not the cause for the insurance gap? Cost.
“Cyber remains very affordable, but the terms are all unique by, and to, the carrier and many will not cover ‘reputational revenue loss’ (you have to know where to look) and even most brokers are unfamiliar with the coverage,” King says. “Capacity is not a problem; creativity, insured and broker market knowledge and negotiating coverage from underwriting are more of an issue.”
Chief Risk Officers = Active Risk Management
Another interesting note from the cybersecurity report:
Chief Risk Officers (CROs) are more likely to favor cyber insurance. Forty-nine percent of respondents who self-reported they are CROs say their organizations have cyber insurance in contrast to other respondents (27 percent). Organizations with CROs also report a higher level of coverage of theft or loss of knowledge assets than other organizations (an average of 48 percent vs. an average of 34 percent).
So if a business has the foresight to have a Chief Risk Officer, they are much more likely to have a more realistic take on their potential loss in a data breach or other cyber event.
The presence (or absence) of a CRO may itself become an issue in D&O liability at some point, King says.
“It’s active risk management versus slamming that function into finance, legal or treasury, where there may or not be expertise,” he says. “Passive or complimentary risk management is a ‘risky’ way for the enterprise to address risk.”
If you would like to read the full report, it’s here. Hat tip to Business Insurance reporter Judy Greenwald for her excellent story on the report.
If you’re in the market for cyber insurance, Amy Stewart Law represents policyholders exclusively at every step of the insurance process, from procurement and renewal to claims and dispute resolution.