A new survey by the research firm Ovum says 50% of U.S. businesses don’t have cyber risk insurance. Just 16% of the 100% have full coverage. The survey was done for the analytics company FICO and it also found 27% of that 50% say their companies have no plans to purchase said insurance.
Ironically — and dangerously — 61% say they expect cyber attacks increase in the next year.
The survey found U.S. companies lag in cyber coverage when compared to Canada and the United Kingdom. The report says 40% of firms report no cyber coverage in those countries.
And why? Mistrust of insurance pricing is what most say.
The survey is wide-ranging. It connected with 350 c-suite executives and senior security officers. They come from sectors like:
• Financial services
• Media service providers
• 30% have 500 to 1,000 employees
• 28% have 1,001 to 4,999 employees
• 17% have 5,000 to 9,999
• 25% have more than 10,000
Bob Shiflet of FICO said the Ovum survey finds U.S. healthcare to be father behind than most when it comes to cyber insuring. None of those surveyed in healthcare have insurance that covers all risks and 74% had no insurance at all. Shiflet said this is troubling but some of that must be laid at the feet of the insurance industry.
“There are steps the insurance industry can take to make guidelines clearer and explain premium adjustments, but companies need to be willing to dedicate the resources required to protect themselves from the breaches they themselves see as likely, if not inevitable,” Shiflet said.
Cost and lack of clarity from the industry is problematic:
• Just 25% of those responding think premiums reflect their risk profile
• Only 23% think the insurance industry is clear and transparent in its approach to pricing
• 29% of the executives think insurers need clear guidelines about how premiums are chosen
• 28% want clearer communications on why premiums are adjusted when that happens
• 23% want insurers to introduce a standard for benchmarking cyber risk
Hiscox did a similar survey that said 55% of U.S. firms have taken out cyber insurance but these businesses are — as with the Ovum survey — confused about what cyber coverage actually entails and what is protected.
For those who don’t have cyber insurance:
• 26% do not plan to purchase
• 41% said cyber insurance policies are not relevant to their business
• 17% say they have no plans to take out insurance — ever — and agreed with this statement: Cyber insurance policies are so complicated — I don’t understand what cyber insurance would cover me for.
Deloitte also did a survey that found buyers just don’t understand cyber risks or options for insurance. And all — the report found — want standardized policies. “Similar cyber insurance products offered by different providers often include alternative features, which makes it difficult for buyers to compare policies by value and price,” the report said.
Deloitte also outlined steps similar to those of Ovum for insurers to take:
• Standardize policy language
• Develop a risk-informed model rather than a definitive predictive model for cyber risks
• employ more targeted underwriting by industry or exposure
• Offer more holistic cyber risk management programs
RAND Corporation did a different report and hit the real nail on the head. Companies — it found — just don’t see cyber insurance as a good investment. The typical cost of a breach according to RAND is $200,000 which means an event will cost a company about 0.4% of annual revenues.
Sasha Romanosky of RAND put it in perspective. “Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think. It may be bad for you if you are the victim, but it doesn’t change the behavior or strategy of a company. Like you and me, companies are self-interested and operate in ways that minimize their costs. You can’t begrudge them for working that way,” Romanosky said.
Ponemon seriously disagrees with RAND’s conclusions. It’s report from May of 2014 found the average data breach costs something like $3.5 million for super-sized companies.
Source link: Insurance Journal