BY STEVE YAHN
Traditionally, the CIO and IT departments have been considered the domain for cybersecurity insurance.
However, risk managers "often find themselves in the eye of the security storm with the greater acknowledgement that data breaches have serious financial consequences for organizations," according to a new survey by the Ponemon Institute, sponsored by Experian Data Breach Resolution.
Two in five (40 percent) corporate officers most responsible for cyber insurance decision-making are risk managers, followed by business unit leaders, at 25 percent; compliance officers at 17 percent; chief information security officers at 16 per cent; chief information officers at 8 percent, and general counsels at 5 percent.
Larry Ponemon, chairman and founder of the Ponemon Institute, which is based in Traverse City, MI, said there sometimes is a misconception in the marketplace that cyberrisk can be covered in a company's E&O, or D&O or property and casualty coverage.
"I suppose it might be," he said, "but I think more and more people realize this is a special type or risk that needs its own specialty coverage.
"It seems like in the past three or four years, companies have begun to consider cyber insurance," he said. "Clearly, cybersecurity is one of the top 10 or top five issues for many organizations. I really think there's quite a market that's developing for cyber insurance. It seems that if lots and lots of companies don't have a policy that they're considering acquiring one."
The Institute's 2013 Cost of Data Breach Study found that the average cost of a data breach was $188 for each loss of a stolen record. "In response," it noted, "major corporate risk underwriters offer policies specifically devoted to helping companies manage the financial costs related to data breaches."
A growing number of organizations have found value in such policies.
Still, only fewer than one-third (31 percent) of companies have cybersecurity insurance, with another 39 percent saying their organizations plan to purchase such a policy.
Most companies with cyber insurance have had their policies between one and four years, said the report. Customer satisfaction runs high, with 44 percent of survey respondents extremely likely to recommend their insurance provider to a friend or colleague.
Ponemon said the institute's study showed why some companies aren't using cyber insurance.
"If you look at the positives and the negatives, there's the perception that cyber insurance doesn't cover all the risk or it's unclear whether the insurance will cover all the risk, so those looking at the insurance think they have it nailed but then if you have a problem you come to realize an event wasn't what you thought it was."
Most organizations, however, believe it allows them to reduce the financial liability of a breach or security incident.
Nearly two-thirds (62 percent) of respondents said their companies' ability to deal with security threats improved following the purchase of the cyber insurance policy. The assessments and other steps required as part of purchasing such a policy could have an impact on these improvements, the report noted.
"At some point," Ponemon said, "some light bulb went off for some major companies that there could be a solution for security risk, a helpful tool in the arsenal that having cyber insurance was a good idea.
"Is it the only thing you need to do, oh, absolutely not," he said. "But by having it, you're going to help relieve some of the pain points. As long as you understand the limits, it can be effective to have an insurance policy."
Some of the most noteworthy findings of the survey included:
* Losses. Security exploits and data breaches resulted in multimillion dollar losses, with the average financial impact to companies of one or more incidents being $9.4 million Respondents estimated that the average potential financial risk of future incidents is $163 million. Most involved the loss of business confidential information.
* Oversight. Concerns about cyberrisks are moving outside of corporate IT teams. Protecting against the financial impact of cybersecurity risks ranks high or higher than other insurable risks (natural disaster, fire, etc.). Of those that experienced an incident, 76 percent think they are greater than or equal to a natural disaster, business interruption, fire, etc.
* Incidents. Worries about costly future data breaches and security exploits have driven interest in cybersecurity insurance. Among those companies that had an incident in the past 24 months, 70 percent of respondents said the experience increased their interest in these policies.
Yahn is the former editor of Advertising Age and lives in New York State.
August 19, 2013
Copyright 2013© LRP Publications