While most companies now have insurance policies that cover specific cyber risks, a growing number are getting their cyber liability coverage as part of broader policies that cover other property-casualty exposures, according to survey results released on Thursday by the Risk and Insurance Management Society.
To be sure, 83% of the 288 corporate risk managers surveyed said their companies bought so-called “stand-alone” insurance policies — coverage designed to address risks like network security failures or liability stemming from a privacy breach, for instance. But that’s a mere uptick from the 80% recorded in 2016, when the number of respondents buying such coverage soared by a whopping 29% compared with 2015.
Further, the number of companies that get their cyber liability coverage from buying other, broader kinds of insurance appears to be rising faster than the population of those that go the stand-alone route. Of those companies that have cyber coverage but do not have stand-alone policies, 84% say that other purchased insurance policies include cyber liability coverage (up from 76% last year).
“The utilization of stand-alone cyber insurance policies is mostly static with 2016,” write the authors of the RIMS survey report. “The rate of increase for stand-alone policies might be slowing because other forms of insurance coverage are picking up the slack.”
The reason for this trend? “[W]e might be seeing something resembling maturity from the cyber insurance market. Those who want to buy cyber coverage have bought it, and specialty stand-alone cyber coverage is nearing saturation. In 2018 any trends along these lines will be more discernible,” the authors predict.
But the findings of the RIMS report, which reflect the views of corporate insurance buyers, may indicate a disconnect between the purchasers of cyber coverage and the insurers attempting to sell it to them. Even as companies seem to be slackening off in terms of buying stand-alone policies, insurers are gearing up to sell them more. In fact, insurers are reportedly moving away from selling package policies and toward stand-alone ones in a big way.
That split may reflect a broader schism between what corporations see as a hidebound approach to writing cyber coverage in response to risk managers calls for policies that meet the unique needs of each company. Insurance companies could be a whole lot more innovative in approaching the fast-changing nature of cyber coverage, experts say.
In another survey finding, corporations seem to be perceiving their own cyber risks in terms of the news of the day. “On the heels of WannaCry and other ransomware outbreaks, respondents chose ‘cyber extortion’ as one of the leading first-party exposures their organizations face (72%),” according to the RIMS report.
(First-party cyber exposures are the damages companies themselves could face in the wake of a cyber attack, such as those needed to repair damaged databases and security systems. Third-party risks, by contrast, are the liabilities companies face from others hurt by damage caused to a company’s systems, such as lawsuits by customers against retailers when customer identities are stolen in a data breach.)
Perhaps surprisingly, 47% of the corporate risk managers think the U.S. federal government should mandate the reporting of cyber breaches, with 25% saying it shouldn’t and 28% responding that they are unsure. “It’s the only way to get people to disclose that they’ve been breached. There must be significant fines for failing to do this,” one of the respondents commented.
Said another: “Even if reporting occurs, the government is not in any position to do anything about it.”