Companies buying cyber insurance stalls, survey says

By Cate Chapman on October 30, 2014

zurich-cric-report-250x324-231x300Cyber risk may be climbing the corporate ladder in terms of priority with more board members and C-level executives focused on information security, but the purchase of insurance plateaued, according to the Fourth Annual Survey on Information Security and Cyber Liability Risk Management.

Companies purchasing cyber insurance flattened at 52 percent–the same percentage as a year ago, the survey by Advisen Ltd. and Zurich showed. This percentage had risen the last several years.

Meanwhile, companies planning to buy it for the first time increased just one point to 54 percent compared to 2013 when this percentage more than doubled from the previous year.

“Most concerning,” said Erica Davis, vice president of underwriting, Zurich’s Specialty E&O, is the finding that 62 percent of those surveyed could confirm their companies had a breach plan in place. This number is down 10 points from 2013.

“The nature of cyber security is evolving so quickly it can be difficult for businesses to keep track of the risks let alone the solutions,” said Davis, who presented the results here at Advisen’s annual Cyber Risk Insights Conference.

The survey, conducted in August among risk managers, insurance buyers and other risk professionals, garnered 507 responses—mostly from members of risk management departments with more than 20 years of experience. The companies they represented skewed large, with 55 percent having revenue in excess of $1 billion, ranging across healthcare, education, utilities, transportation, banking, government and other sectors.

Even amid accelerating reports of massive data breaches in 2014, the perception that cyber and information security threats pose at least a moderate threat was largely unchanged at 88 percent from a year ago, the survey showed. What increased were reports that the perception of the threat had spread to boards (64 percent in 2014, up from 54 percent in 2013) and C-suite executives (72 percent, up from 64 percent).

But companies also saw a decrease in multi-departmental risk management teams, with 52 percent of those surveyed saying they having one, down from 56 percent last year and 61 percent in 2012.

And, while 51 percent of organizations continued to include assessment of vulnerabilities from cloud services in their risk programs, the proportion that use these services continued to climb, to 66 percent from 55 percent in 2013 and 45 percent in 2012.

IT departments remain the front line of defense against information losses and other cyber liability risks; 69 percent identified these professionals as primarily responsible for spearheading the effort, similar to last year. Risk management and insurance departments came in “a distant second with 11 percent,” according to the survey.

Most surveyed continued to identify damage to their organization’s reputation from a data breach as their biggest concern. This type of exposure was followed closely by “incurring costs and expenses from a cyber-attack” and “privacy violation/data breach of customer records.”

Among exposures deemed least risky were “theft or loss of customer intellectual property,” “business interruption due to customer cyber disruptions” and “employment practice risk due to use of social media.”

In a sign that recognition of information security risk is spreading, however, the gap between large and small companies (with revenue under $1 billion) that identify it as a specific risk management focus narrowed to 6 percentage points from 17 a year ago.

download-white-paper-1751