According to a recent survey of risk and financial managers, only 28 percent of North American companies have cyberinsurance in place — and many of their policies have low payout caps.
Specifically, 43 percent of the policies surveyed were for $1 million to $5 million in coverage — not all that much, given that 77 percent of the responding companies had $500 million or more in annual revenues. Also, the Ponemon Institute has reported that the median cost of cybercrime to an organization is $5.5 million.
The whole point of insurance is to cover large losses — losses too big to be covered out-of-pocket, losses which could be crippling to a company.
So why aren’t companies purchasing adequate coverage for pontential cyber losses?
Two thirds of respondents to the Towers Watson survey said that their security was good enough — that their technology and risk controls were enough, or that there wasn’t significant data in their organizations that could be exposed.
Do companies really think that they can protect themselves against data loss? That’s like not buying fire insurance because you have sprinklers installed. Yes, sprinklers are good to have — in fact, your insurance company is likely to insist on them. But they can’t guarantee that you’ll never have a fire.
I have a really hard time understanding why anyone would think their enterprise doesn’t need cyberinsurance. Do they really think they won’t get hacked? That they won’t lose any data accidentally? That every single employee is pure of heart and deed?
Indeed, the 2012 PwC Global State of Information Security Survey shows that security capabilities have actually been dropping over the past three years. Only 29 percent of companies have an accurate inventory of where their data is stored, for example, down from 39 percent in 2009. And only 27 percent of North American companies conduct due diligence of third parties handling personal data — down from 45 percent in 2009.
According to the Verizon 2012 Data Breach Investigations Report released last month, 2011 saw 174 million records compromised in 855 separate incidents. And a Ponemon survey published last year showed that 90 percent of organizations had at least one breach over the previous 12 months.
So why the big disconnect about cyberinsurance?
One reason is that the folks responsible for buying cyberinsurance don’t work closely enough with the folks securing the enterprise. The IT department thinks that the finance department has coverage in place. The finance department doesn’t understand the technology and is counting on IT to keep the company safe. And some executives might think their existing policies cover data breaches when they don’t.
Nobody wants to stand up and say, “Our security system has holes in it that we can’t plug. We need to buy insurance.”
The perception that there’s insurance in place is dangerous when there’s no actual coverage. People can start slacking off if they think losses are covered. Insurance companies normally compensate for this by insisting on audits — they go in and check that the sprinklers are working and that smoke detectors are in place and that security cameras are installed.
In the cybersecurity space, this translates to network, data, and policy audits. Does the customer use the latest security technology? Does the customer have privacy policies in place? Do they restrict employee access to file-sharing networks? Do they scan outgoing communications to ensure that customer data isn’t being transmitted out of the company? Are privacy policies in place and are there procedures to ensure compliance?
By carrying out security audits and implementing privacy policies, companies don’t just lower their insurance premiums. They also lower the possible expenses, bad publicity, and loss of reputation that could result from a major data breach.
That’s got to be worth more than saving a few bucks on insurance.