This past Summer the Ponemon Institute and Experian Data Breach Resolution organization released a report stating that most businesses now rank cyber-security risks higher than natural disasters and other major business risks. Despite the paradigm shift of this reality in the boardroom, few companies are still willing to purchase cyber-insurance as part of their overall risk management strategy. An organizations reluctance to purchase cyber-insurance, in spite of evidence suggesting otherwise, can be boiled down to the assessment of four competing priorities: (1) Risk Transfer – buy cyber-insurance in order to transfer risk to a third-party; (2) Risk Acceptance – bearing the risk and budgeting for the eventual losses; (3) Risk Mitigation – taking steps to contain and minimize anticipated risk losses; and (4) Risk Avoidance – eliminating a risk entirely by removing the conditions that created it.
In today’s corporate cyber-world, it is feasibly impossible for most companies to simply “avoid” the risk altogether. Most businesses have to rely upon certain internal controls to mitigate the risk, and then subsequently self-insure for the eventual breach of information. Upon close inspection of a cost-benefit model, this recommendation is the most financially prudent course of conduct. However, the cyber-insurance industry is rapidly evolving to a point where more and more businesses are looking to transfer their cyber-risks to a third-party.
Unlike traditional business insurance, cyber-insurance policies are unique to the issuing carrier, and nothing is standard in the industry at this time. While a sizable third-party market exists to cover losses suffered by a company’s customers, first-party policies that address direct harms to the company itself remain expensive, rare, and largely unattractive. Several factors are to blame for this, including: (1) a lack of actuarial data which results in high premiums for first-party policies that many can’t afford; (2) the widespread, mistaken belief that standard corporate insurance policies and/or general liability policies already cover most cyber risks; and (3) fear that a so-called “cyber hurricane” will overwhelm carriers who might otherwise enter the market before they build up sufficient reserves to cover large losses.
Companies surveyed by Experian and Ponemon reported that of the 56 percent of companies who reported a cyber-related breach, the average cost per incident was $9.4 million in the last 24 months. This figure, however, was only a small fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to a cyber-attack.
The role of third-party insurance versus self-insuring against cyber-security is not always a mutually exclusive investment. Cyber-security requires a comprehensive risk management solution that examines the organizations people, processes, and technology. To properly evaluate the necessary coverage, businesses should categorize and understand its exposure for its own losses and internal expenses, and consider potential liabilities to third parties based on an assessment of that business.