Our recent Risk:Value report drew some interesting findings in regards to cyber insurance. Following on from the recent “Insurance isn’t a quick fix for cybersecurity” blog post, the concept of cyber insurance is still relatively new. It is also clear there is still some uncertainty within organisations regarding how it can or should be used.
A recently published press release from the Risk:Value findings indicate that, while the majority of global organisations say that it is ‘vital’ their organisation is insured against information security breaches, less than half (41%) are fully covered for both security breaches and data loss. Just over a third have dedicated cybersecurity insurance.
In terms of coverage, less than half (46%) of those respondents whose organisation has company insurance that covers data loss or a breach, expect it to cover legal costs. Fewer expect it to cover regulatory fines (43%), government fines (41%) and remediation (41%). Covering loss of business and loss of IP (intellectual property) is even less likely, according to the report, at just 25%.
More worrying still is that, when questioned on insurance validity, half of respondents cite that lack of compliance with necessary security criteria could invalidate their insurance, while 46% feel that not complying with business policies could be a problem, and 43% point to the lack of an incident response plan.
These findings indicate an interesting situation emerging – on the one hand, the majority agree it is “vital” to be covered and, on the other, the same respondents outline some fundamental reasons why it may fail within their organisation.
As such, it is important that a comprehensive and mature approach to cybersecurity is taken. That includes getting the basics right, educating employees on their role within cybersecurity and putting in the right processes and procedure to both safeguard data and respond to a breach should it occur.
Referring back to the earlier blog, cyber insurance may play a role in recovering costs should the worst happen, though it will not safeguard against reputational damage, nor prevent a breach occurring. As a result, organisations should make sure they have in place a comprehensive approach to cybersecurity – which includes understanding the risk and taking action to close vulnerabilities. Prevention after all, is still better than cure.
Read our latest thought leadership paper regarding cyber insurance here.
While cyber liability insurance has become increasingly popular and can include cover for data and privacy breaches, extortion liability and network security liability, only 35 per cent of businesses currently see the need to take a policy out, although a further 43 per cent are getting one or thinking about it. Businesses in the US are most likely to have this type of insurance – 51 per cent compared to just 26 per cent in the UK