Jitters about the potential for steep financial losses stemming from such threats as computer hacking and data-privacy mishaps are driving more corporate risk managers and finance executives to buy cyber insurance, according to recent surveys.
With premiums flat for the coverage, which purports to protect corporations from legal and property costs not covered by other property-casualty policies, corporate buyers are jumping into the market with both feet.
The desire for protection probably stems from the possibility that a great deal of money could be lost as a result of, say, a computer-generated extortion or a network breach. An indication of current fears is that an attack on as broad a scale as a blow to the legions of users of Microsoft Windows is on the table these days when risk specialists toss around worst-case scenarios.
But current loss experience offers a more realistic view of what’s at stake. Security incidents and data breaches are spawning multimillion-dollar losses, according to the results of a study of 638 U.S.-based executives, managers and staffers involved in their companies’ cyber-security risk management activities released by the Ponemon Institute earlier this month. (Registration is required.)
The average financial impact to companies hit with one or more negative cyber events was $9.4 million, said the study, which was sponsored by Experian. (The firm, which focuses on corporate data-breach protection, occasionally refers clients to cyber insurers but does not sell or benefit from the sale of the coverage itself, says Michael Bruemmer, a vice president at Experian.)
The most common data breaches stemmed from negligence or mistakes that resulted in the loss of confidential business information, which occurred at 45 percent of the companies that suffered incidents (see graph, below). The most common cyber attacks are those that caused disruption to business operations (such as denial-of-service attacks). Less common were cyber attacks causing damage to a company’s information-technology infrastructure, including networks and enterprise systems.
When asked to predict their companies’ maximum financial exposure to security incidents and data breaches for the next 24 months, estimates by survey respondents averaged about $163 million. Loss of confidential information and business disruption were the cause of most incidents, according to the study.
Most of the estimated money at risk involved the loss of confidential business information, said the respondents, which came from companies ranging in size from less than 500 employees to more than 75,000.
Fifty-six percent of the companies studied have had “a material security exploit” or “data breach” during the past 24 months. Ponemon, a nonprofit think tank focusing on privacy and data-security issues, defines the former term as “a cyber attack that infiltrates a company’s networks or enterprise systems” and the latter as a “material data breach is one that results in the loss or theft of 1,000 or more records.”
Worries about expensive data breaches and attacks are driving an interest in cyber security insurance, according to the study. At companies that had incidents in the past two years, 70 percent of respondents said the experience boosted their interest in these policies.
In fact, most of the companies either have cyber-security insurance or are considering buying it. Thirty-one percent of the respondents said they have a policy and 39 percent said their organization plans to purchase a policy.
While CFOs don’t tend to have a hands-on role in buying the coverage, they can be strong advocates for it. Thus, although finance chiefs were responsible for assessing and choosing insurers at companies represented by just 4 percent of the respondents, 17 percent said their CFOs were influential “in making the case for the purchase of a cyber security insurance policy.”
Still, whether it’s the CFO, the risk manager or another corporate official pushing the decision, companies are increasingly deciding in favor of buying the coverage. The number of clients of the financial and professional liability arm of Marsh, the insurance brokerage, that bought cyber insurance surged 33 percent from 2011 to 2012, according to a Marsh client briefing in March (registration required). The firm, which is seeing double-digit growth in the number of clients purchasing cyber coverage in 2013, would not reveal the number of client on which the percentages are based.
In 2012, the maximum cyber coverage limits purchased in 2012 averaged $16.8 million per client, an increase of nearly 20 percent over 2011, according to the Marsh briefing.
Companies renewing their current policies can expect a swing in pricing of 2 percent, either up or down, according to Bob Parisi, the network security and privacy practice leader at Marsh. Depending on the size and computer risks of the company, the price can swing widely, from as low as $5,000 per $1 million worth of coverage to as high as $25,000 to $35,000 for the same amount, according to the broker. Typically, such policies cover companies’ risks in collecting confidential data and the possibility of direct losses to corporate property and revenue resulting from network failures.