Cyber Insurance Uptake Still Lagging
“It is chronic that organizations are not analyzing the total cost of risk on a relative, comparative basis between tangible and intangible assets,” said Kevin Kalinich, global practice leader of network risk and cyber insurance at Aon Risk Solutions, summarizing the main takeaway from the 2015 Global Cyber Impact report, conducted by the Ponemon Institute and sponsored by Aon Risk Services.
Ponemon surveyed over 2,000 professionals involved with their companies’ cyber risk management and enterprise risk management, working in finance, risk management, compliance or general management roles.
The results revealed a stark contrast between what these professionals say and do about their organizations’ cyber insurance programs.
More than half of survey respondents said they expected their companies’ cyber exposure to increase over the next two years, but fewer than one in five were carrying coverage with an average limit of $13 million.
For example, 52 percent of respondents said they expected their companies’ cyber exposure to increase over the next two years, and 72 percent feel their current cyber coverage is sufficient.
Despite this confidence, only 19 percent of respondents were carrying coverage with an average limit of $13 million; meanwhile, the Ponemon Institute estimated that the probable maximum loss (PML) from stolen or destroyed information assets could reach as high as $617 million.
“Organizations seem to have a different operating philosophy on assets they insure,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Both [tangible and information assets] are viewed as very valuable, but insurance for tangible assets was at 51 percent of replacement value, versus just 12 percent for information assets.”
Kalinich said the discrepancy comes from senior management’s lack of understanding of their information assets’ impact on financial statements.
Companies are investing more and more in technology to streamline their processes and improve the way they do business, which helps to reduce their PML for tangible assets.
But they fail to take into account the total value that the new technology offers and how that changes their cyber exposure.
“They aren’t comparing the relative value of the assets, the relative exposures, and relative insurance spend of tangible and intangible assets,” Kalinich said. “If they do that, I think they’ll come to the conclusion that they are under-insuring on a relative basis.”
Many respondents also do not disclose material losses to uninsured information assets in financial statements (32 percent) or do so only as a footnote disclosure (36 percent). Not viewing technology as a “balance sheet asset” could contribute to management’s tendency to overlook its value, Ponemon said.
According to the report, only 26 percent of respondents said their company had conducted a formal, third-party assessment of cyber risk. Most had either no assessment (20 percent), or a very informal one (39 percent).
However, part of the problem lies on the insurance provider side as well. Many respondents said they chose not to purchase cyber insurance because coverage was insufficient, came with too many exclusions or restrictions, or executive management did not see the value, among other reasons.
They have a point.
According to Kalinich, broad and comprehensive coverage with large limits does exist for PII exposure, but not for non-PII cyber exposures such as supply chain or manufacturing disruption, or “tangible damage resulting from an intangible peril.” Those solutions will continue to evolve as the industry gathers more actuarial benchmarking data, he said.