Getty Images/iStockphoto

Cyber insurance uptake growing, but not all firms convinced

The adoption of cyber insurance is expected to grow, but one in three companies still are not sold on the benefits, a survey shows

Cyber insurance adoption is expected to continue to grow, but only 38% of companies polled in the US and Europe have active cyber insurance policies in place, a study has revealed.

Of those insured organisations, 45% purchased cyber cover in the past two years, 32% purchased their policy three to four years ago, and only 24% have been covered for more than five years, according to the study by IT industry networking organisation Spiceworks.

Despite the fact that the adoption of cyber insurance policies to offset the recovery costs associated with security incidents continues to grow, the survey of nearly 600 organisations revealed that many organisations are still not sold on the benefits of cyber insurance and are hesitant to purchase a policy. 

However, according to a separate poll in the Spiceworks Community, 11% of organisations without coverage plan to purchase a cyber insurance policy within the next two years.

“In a world where cyber security breaches increasingly make the headlines, many organisations want the peace of mind an insurance policy offers in the unfortunate event of a breach,” said Peter Tsai, senior technology analyst at Spiceworks.

“As a result, we expect the adoption of cyber insurance to increase in businesses across the globe over the next two years. However, despite these expected gains, many organisations still lack knowledge about cyber insurance, while others are sceptical of the value of these policies in general.”

Cyber insurance drivers

The study shows that increased priority on security is a top driver of cyber insurance adoption, with 71% of organisations purchasing cyber insurance as a precautionary measure, while 44% cited an increased priority on cyber security as the reason they bought a policy.

The risk of managing large volumes of personal data also drove 39% of organisations to purchase cyber insurance. This is likely to be linked to the growing number of data protection requirements around the world, such as the EU’s General Data Protection Regulation (GDPR). However, less than 15% purchased a policy due to a recent security incident or data breach. 

When comparing the prevalence of cyber security insurance policies in North America and Europe, the regulatory environment and impact of new regulations such as GDPR become apparent, the report said. Only 4% of organisations in North America purchased cyber insurance because of new data protection regulations, compared with 43% in Europe.

Across both regions, 52% of companies with cyber insurance have a coverage limit between $1m and $5m, 19% have a coverage limit between $6m and $10m, and 16% are covered for more than $10m. However, the results showed only 7% had ever filed a claim with their cyber insurance provider. 

Among the companies that do not carry cyber insurance, the lack of knowledge about cyber insurance was found to be one of the top three reasons why they have not purchased a policy. Some 36% of IT professionals said their organisation was not covered due to a lack of knowledge about cyber insurance, while 41% said it was not a priority at their organisation, and 40% said they didn’t have budget for it.

Additionally, 33% of organisations have not purchased a policy because they are not sold on the benefits, and 20% reported insufficient use cases for cyber insurance, while 12% said they were not confident claims would be paid out.

Cyber attacks come with a high cost

A report by the insurance industry-backed Cyber Risk Management (CyRiM) project warned that a hypothetical coordinated global cyber attack spread by email could have an economic impact of between $85bn and $193bn.

However, the report said the “lack of sound data, the rapidly changing cyber threat environment, developing regulation and policy landscape, and the global nature of cyber risk with potential for high accumulation risk, constrains the development of the current cyber risk insurance market”.

Despite the high costs to business, the report showed that the global economy was under-prepared for such an attack, with 86% of the total economic losses uninsured, leaving an insurance gap of $166bn.

The report estimates that the total claims paid by the insurance industry in this scenario would be between $10bn and $27bn.

“Comparing the insurance loss estimates to the economic losses shows insurance industry losses are between 9% and 14% of the total economic loss, which shows there are high levels of under-insurance for this type of cyber attack,” the report said.

With the estimated 2019 “cyber affirmative insurance premium” globally at $6.4bn, the research showed the insurance industry was “significantly exposed” to a contagious malware event, the report said.

Read more about cyber insurance


Read more on IT risk management

Data Center
Data Management