Cyber insurance continues to be a hard sell, even within the industry itself, according to a recent survey from A.M. Best Company, which found that 86 percent of insurers surveyed do not yet offer cyber insurance and 53 percent of respondents said they do not purchase the coverage to protect themselves.
The insurance business is built on data, and all types of information must be protected. Insurers may be better than most industries in this area, Best found. Data breaches at insurers – both property/casualty and life/health – do occur, but on a limited scale – just 15 percent of survey respondents said they’ve experienced a breach. Most companies surveyed (75 percent) in Best’s annual fall survey say they have been able to detect and halt intruders in their systems within a day of the breach. Another eight percent said it took up to a month to stop a cyber-attack.
Best identified one area of concern – of the 15 percent of insurers that experienced attacks, 37 percent of those were larger companies with more than $500 million in capital and surplus and with potentially much more appealing data deposits.
“This is an important distinction, because 92% of all capital and surplus is held by these larger companies, and the amount of data these larger companies have is disproportionate to the industry. It may be a misconception to think that the smaller companies with potentially less data security would be the targets of data thieves, as the larger companies, which offer more data to potential thieves, appear to be the main focus of cyber-attacks and data breaches,” Best commented.
One possible reason for attacks on these larger companies could be their methods of data storage. The majority of insurers (73 percent) with more than $500 million in capital and surplus said they used cloud technology for data storage. Smaller companies were not that far behind; 47 percent of them used cloud technology.
“It appears that many insurance companies still are evolving with respect to protecting company data and policyholders’ information, as 72% of respondents house their internal data security functions directly within their information technology groups. So generally the same group that responds to questions about troubleshooting application error messages is also responsible for network security and data protection. Security could be expected to be a segregated function, but of the survey respondents, only 3% said they had a dedicated, specialized cyber security risk departments, and within ‘other,’ a like amount outsource this function,” Best said.
Best also analyzed insurers’ use of social media and their offering of cyber policies. Most respondents that do offer cyber insurance typically attach it to a general liability, but the survey cast doubts on expectations that cyber insurance would gain much traction outside specialty lines in the next year. Nearly 99 percent of insurers said they planned to write less than $100 million in premiums for cyber insurance in 2015.