Jitters about the potential for steep financial losses stemming from such threats as computer hacking and data-privacy mishaps are driving more corporate risk managers and finance executives to buy cyber insurance, according to recent surveys.
With premiums flat for the coverage, which purports to protect corporations from legal and property costs not covered by other property-casualty policies, corporate buyers are jumping into the market with both feet.
The desire for protection probably stems from the possibility that a great deal of money could be lost as a result of, say, a computer-generated extortion or a network breach. An indication of current fears is that an attack on as broad a scale as a blow to the legions of users of Microsoft Windows is on the table these days when risk specialists toss around worst-case scenarios.
But current loss experience offers a more realistic view of what’s at stake. Security incidents and data breaches are spawning multimillion-dollar losses, according to the results of a study of 638 U.S.-based executives, managers and staffers involved in their companies’ cyber-security risk management activities released by the Ponemon Institute earlier this month. (Registration is required.)
The average financial impact to companies hit with one or more negative cyber events was $9.4 million, said the study, which was sponsored by Experian. (The firm, which focuses on corporate data-breach protection, occasionally refers clients to cyber insurers but does not sell or benefit from the sale of the coverage itself, says Michael Bruemmer, a vice president at Experian.)
The most common data breaches stemmed from negligence or mistakes that resulted in the loss of confidential business information, which occurred at 45 percent of the companies that suffered incidents (see graph, below). The most common cyber attacks are those that caused disruption to business operations (such as denial-of-service attacks). Less common were cyber attacks causing damage to a company’s information-technology infrastructure, including networks and enterprise systems.
When asked to predict their companies’ maximum financial exposure to security incidents and data breaches for the next 24 months, estimates by survey respondents averaged about $163 million. Loss of confidential information and business disruption were the cause of most incidents, according to the study.
Most of the estimated money at risk involved the loss of confidential business information, said the respondents, which came from companies ranging in size from less than 500 employees to more than 75,000.
Fifty-six percent of the companies studied have had “a material security exploit” or “data breach” during the past 24 months. Ponemon, a nonprofit think tank focusing on privacy and data-security issues, defines the former term as “a cyber attack that infiltrates a company’s networks or enterprise systems” and the latter as a “material data breach is one that results in the loss or theft of 1,000 or more records.”