More and more organizations are going for insurance against cyber security threats. Have you?
Cyber security was first recognized as a major global risk by World Economic Forum in its annual Global Risk Report in 2012. Since then, every year, cyber security threats—large scale cyber attacks or massive incidents of data theft/fraud—have been identified as most likely global risks by WEF. In this year’s report, cyber attacks are rated high on both on their impact and likelihood. In short, it is a big global risk.
Organizations globally are working up to the risk.
And when risk is looming large, can insurance be far behind?
As part of their risk mitigation strategy, many large organizations are going for the ultimate option: insurance. When all else—all defense mechanism—fails, there has to be something to fall back to. Insurance is that last straw.
“By now, it seems clear that technically adept adversaries will always find new ways to circumvent cyber security safeguards. That’s why many businesses are purchasing cyber security insurance to help mitigate the financial impact of cyber crimes when they do occur,” says PwC’s 2016 Global State of Information Security Survey.
The cyber security insurance market is already $2.5 billion, going by 2015 annual sales, according to a report from PwC, released in September last year. Called Insurance 2020 & beyond: Reaping the dividends of cyber resilience, it estimates that the cyber insurance market is expected to double by 2018 and grow three fold to $7.5 billion by 2020.
In an article titled, Mitigating Risk: Navigating the Cyber security Insurance Market, Michael Bruemmer and Mark Greisiger, two veteran cyber risk professionals, estimated that cyber security insurance market increased by 250% between 2013 and 2015.
“90% of cyber insurance is purchased by US companies,” the PwC report said quoting Fortune, “underlining the size of the opportunities for further market expansion worldwide.” In the US too, the report said, US market, only around a third of companies have some form of cyber coverage. There is also a wide variation in take-up by industry, with only 5% of manufacturing companies in the US holding standalone cyber insurance, compared to around 50% in the healthcare, technology and retail sectors, the report said.
The Last Resort
The State of Information Security Survey 2016 by PwC identified five strategic security initiatives, one of which is cyber insurance. As many as 59% of respondents in its survey said they were pursuing cyber security insurance as a strategic security mechanism.
Cyber Insurance is a smart move. Adopted by many CSOs who know that cyber crime do happen even by smallest of slips despite the most sophisticated security systems, an insurance brings in added advantages. Insurance companies treat cyber data as intellectual property and not only insure lost data, but also provide coverage for loss of brand image. For consumer companies, insuring against cyber security threats is not just a risk mitigation strategy but can be used as a marketing advantage, driving the message, “your data is safe with me.”
Some insurance companies also cover the incident response, investigation and cyber security audit expenses. Business interruption so caused by the cyber attackers is also considered a loss and a re-imbursement is paid by the companies.
The risk coverage portfolio of cyber security insurers is expanding. “Today, first-party insurance products cover data destruction, denial of service attacks, theft and extortion; they also may include incident response and remediation, investigation and cyber security audit expenses,” says the PwC survey.
Other key areas of coverage include privacy notifications, crisis management, forensic investigations, data restoration and business interruption. The insurance industry is attempting to expand into policies that cover the value of lost intellectual property, reputation and brand image, as well as cyber-related infrastructure failures, the PwC survey adds.