The overall upward trend of organizations purchasing cyber insurance continued in 2016, however there are signs the market is slowing after six years of rapid growth.
A 2016 Zurich Insurance-Advisen survey shows that over the last six years, the proportion of companies buying cyber insurance has increased by 85 percent, up from 35 percent of companies purchasing coverage in 2011 to 65 percent in 2016. However, the proportion of companies buying in 2016 was up only seven percent from 2015. This compares to an 18 percent increase in 2015 over 2014.
Businesses within personal data-driven industries such as health care, finance and banking, retail and communications industries view cyber risk more seriously, have more robust cyber security and risk management strategies, and are more likely to purchase a security and privacy insurance, according to the survey. Seventy-six percent of respondents from personal data driven industries view cyber risk as a significant threat as opposed to 55 percent from non-data-driven industries. In addition, 78 percent of respondents from personal data- driven industries purchase security and privacy insurance, compared with only 59 percent from all other industries.
Over the six years of this study, the cyber risk awareness of businesses outside the personal data- driven industry segment has grown, but the authors note there are still some companies that believe their exposure is minimal. For example, the top reason respondents do not purchase a cyber policy is they believe their organization is not susceptible to a cyber-related loss.
“The nature of data security has changed immensely in the six years we have worked on this survey with Advisen,” said Bryan Salvatore, president of Specialty Products for Zurich North America. “This year’s results continue to mark the evolving views of risk professionals, C-suite executives and boards and reveal a shifting approach to information security and cyber risk management.
Salvatore said that industries handling personal data have developed a “good understanding” of the risks associated with potential security breaches, however there is “more work to do” to help other industries better understand the risks they face and how best to protect themselves.
The survey reflects responses from 345 U.S.-based risk managers, insurance buyers and other risk professionals covering both large and small companies.
Eighty-five percent of C-suite executives view cyber security as a significant threat, which is 27 points higher than the first survey in 2011 when only 58 percent of respondents indicated that their C-suites executives considered it as such. The results show that most businesses have implemented at least some pre-breach risk management activities.
Businesses are recognizing the additional threat of engineering tactics such as phishing and spear phishing emails to employees, with 50 percent of respondents indicating that employees unintentionally infecting their network with malware was a high or extremely high risk and the top concern of survey respondents. But even with a high level of concern about the “human element,” the survey shows that approximately 21 percent of respondents say they still do not have an employee education program in place.
Other findings include:
Eighty-seven percent of respondents believe a technology interruption would have a moderate- to- significant impact on their business. Still, 13 percent do not see technology interruption as even having a moderate risk.
For the first time in the six years of this study, general counsel has surpassed information technology (IT) as the department most frequently responsible for assuring compliance with all applicable federal, state, or local privacy laws, including state breach notification laws.
Most companies surveyed (97 percent) clearly recognize the importance of collaboration between their risk management and information technology (IT) departments on issues related to cyber security.
Costs related to a breach of customer/personal information is the leading reason for purchasing security and privacy insurance.
Source: Zurich Advisen cyber survey