Guest blog, by Michael Shatter, Director of Risk Assurance Services, RSM Australia
The cyber insurance industry is growing. In fact, it is the one of the fastest growing segments of the corporate insurance industry. It is estimated that the cyber insurance market is worth about $2bn in premium worldwide and, based on current predictions, it could reach more than $20bn in the next decade.
We are currently in the third development phase of cyber insurance. According to Allianz, it was Y2K that first provoked companies to look at their cyber exposures and later, the rise of regulation and legislation around data privacy continued to drive it forward into phase two. Now, in the third phase, we are seeing increased awareness around cyber risk, which is encouraging companies to take a close look at how they are protected.
Throughout the evolution of cyber insurance one thing has become clear; defence barriers can never be fully impenetrable and therefore, you are never fully protected. This is what makes insurance the back bone of cyber protection. Organisations of all sizes need to invest in security procedures and tools to make the business as resilient as possible. Preventing a breach is nigh on impossible so it is crucial that organisations have tools in place to detect a breach and have procedures for how to tackle and mitigate it. Organisations should consider all of the data held and produced by the business, and how to protect it.
Most insurance companies today operate in the cyber arena and large corporates, especially in highly targeted industries like retail, finance and healthcare, are protecting themselves. However, there is a disconnect in the middle market. According to the US National Centre for the Middle Market, the majority of middle market companies consider cyber security important for their business, but over half either lack a defined strategy around cyber or have an outdated policy in place, and only 22% hold a cyber insurance policy.
Underinsurance is a serious issue for the middle market as there is a perceived lack of exposure. On the contrary, research from Advisen found that in 2016, large organisations accounted for less than 20% of cyber losses. In many cases, middle market companies are in denial about their vulnerability to cyber-attacks and need to be insured against the risk just as much as their large competitors. Cyber criminals will often cast a wide net and take what they can get most easily. This can have devastating consequences on middle market firms who potentially don’t have the breadth of resource to simply bounce back.
The problem for most businesses is that the knowledge about available cyber policies is very low, especially in the middle market. People do not trust insurers to give them what they need. There is still a level of scepticism towards cyber insurers and therefore the C-suite are still cautious about putting budget towards it. Coupled with this, there is a misconception among middle market firms that existing insurance policies will protect against a cyber-attack or data breach and a lot of organisations will only become aware of a policy’s limitations once a breach has occurred.
A change in the corporate mind set is crucial to drive change and fully protect middle market businesses, but seemingly, there is work to be done. Only 17% of executives surveyed by IBM considered themselves “cyber secured”. Not only are the C-suite the ones making decisions around cyber insurance investment, they are also the ones that need to consider the repercussions of cyber-attacks. Reputational damage and financial risks are second and third respectively on the C-suite’s view of the technology risks that will be most significant over the next 3-5 years. Investing in the right cyber policies means they can invest their time where it is most needed including developing contingency plans, considering the impact on bottom line and crafting crisis communications plans to manage the organisation’s reputation following a cyber breach.
However, the onus should be on insurers as well as business executives. Insurance will be a catalyst to speed up holistic cyber security. Beyond selling products, insurance companies need to make sure “the house is in order” and ensure the organisations they are covering have good processes in place. We know now that increased awareness is driving the adoption of cyber insurance and it is the responsibility of insurers to gain the trust of the C-suite to move the industry forward. Insurance companies need to make organisations more aware of the different types of cover they offer. Collaboration is the key to combating cyber and this is the first step.
This article first appeared on The International Accounting Bulletin