Despite praising benefits of data breach cyber insurance, most companies remain uninsured
Experian Data Breach Resolution and Ponemon Institute study finds growing interest in cyber insurance to manage risk
Costa Mesa, Calif., Aug. 7, 2013 — Experian Data Breach Resolution and the Ponemon Institute released a new study today that shows that companies now rank cyber security risks as greater than natural disasters and other major business risks. While only 31 percent of companies are insured today, there are a growing number of companies exploring policies. This indicates a larger appetite for financial protection in the wake of a breach. The report, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, is one of the first to examine corporate adoption and attitudes about the rapidly evolving cyber security insurance market and how companies are managing the potential financial damage of breaches. Respondents include senior privacy and compliance professionals involved in evaluating cyber insurance policies and corporate risk management. The top industries represented are retail, public sector, health and pharmaceuticals, and financial services.
Companies surveyed acknowledged the potential financial impact associated with security breaches. Of the 56 percent that had breaches, they reported an average cost of these incidents as $9.4 million in the last 24 months. However, these costs are only a fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to cyber incidents.
“We are reaching a tipping point where the majority of companies we surveyed now rank cyber security risks as high as other major insurable business risks,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “We anticipate that demand for cyber security insurance is likely to increase in response to evolving breach response policies.”
Key findings include the following:
Data breaches impact more than IT teams
With the rapid increase in the threat landscape and the number of data breaches, concerns over how to manage them have moved beyond corporate IT teams to other major parts of organizations. Many companies realize that security incidents create significant financial risks that must be managed like other major business risks. In fact, respondents quantified the average potential maximum financial risk of a data breach at $163 million, with some projecting more than $500 million in damages.
• Security exploits are greater than or equal to a natural disaster, business interruption, fire, etc., according to 76 percent of respondents.
• On average, respondents say there is a nine percent likelihood that their company will experience the predicted maximum financial impact during a data breach. This is a small but significant number when compared with other areas that are regularly insured.
Cyber insurance is becoming a key consideration to mitigate fallout
Most companies are increasingly looking to cyber insurance as part of the solution for managing the risk posed by security incidents to accompany technical protections. Not surprisingly, the study found that the likelihood of a company considering a policy increases after experiencing an incident.
• Thirty-one percent of companies report current cyber insurance coverage, and survey results show growth on the horizon. In fact, 39 percent of respondents say their organization plans to purchase a policy.
• Additionally, more than half with a policy believe it is an essential part of their companies’ risk management programs.
Those with cyber insurance are largely satisfied by the protection it provides. However, even more interesting are the added benefits for the company’s security preparedness and its access to other resources (forensics, notification, etc.) to help manage security.
• Sixty-two percent found that the process of evaluating cyber insurance policies improves the company’s cyber security preparedness and readiness.
• Of those with a policy, 30 percent have experienced an exploit or a data breach and submitted a claim. Nearly all were happy with their providers’ responses to the claim (95 percent good – excellent).
• Most policies provide benefits for forensics and investigative costs (64 percent), notification costs to data breach victims (86 percent) and legal defense costs (73 percent).
Still skeptics among the crowd
Despite the increased interest in cyber insurance, there are some companies that still are skeptical about policies and restrictions. Thirty percent noted they do not plan on purchasing cyber insurance.
• Those without a policy noted that price is a roadblock for purchasing. Respondents also said that policy conditions that include excessive exclusions, restrictions and uninsurable risks inhibit their organization from purchasing a policy.
• However, of those with insurance, 62 percent believe the premiums are fair given the nature of the risk.
The evolution of how to prepare for and manage security exploits will continue to advance. The study indicates more and more interest and adoption of cyber insurance policies as a means to mitigate the impact of an exploit.
“Companies worry about the financial impact following a data breach,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Cyber insurance could be an important part of a risk management strategy to protect against potentially severe financial losses.”
To access the full report, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, visit http://www.experian.com/managingcybersecurity.
For more information, visit http://www.experian.com/databreach.
Read Experian’s blog at http://www.experian.com/dbblog.
1 206 268 2212
Experian Data Breach Resolution
1 949 202 7296
About Experian Data Breach Resolution
Experian® is a leader in the data breach resolution industry and one of the first companies to develop products and services that address this critical issue. As an innovator in the field, Experian has a long-standing history of providing swift and effective data breach resolution for thousands of organizations, having serviced millions of affected consumers. For more information on the Experian Data Breach Resolution division at ConsumerInfo.com, Inc. and how it enables organizations to plan for and successfully mitigate data breach incidents, visit http://www.experian.com/databreach.
Experian is the leading global information services company, providing data and analytical tools to clients around the world. The Group helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps individuals to check their credit report and credit score, and protect against identity theft.
Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended 31 March 2013 was US$4.7 billion. Experian employs approximately 17,000 people in 40 countries and has its corporate headquarters in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and São Paulo, Brazil.
For more information, visit http://www.experianplc.com.
Experian and the Experian marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein are the property of their respective owners.