Global organizations are spending nearly four times more budget on property-related risks than cyber risks, according to a report released on Tuesday by the Ponemon Institute and sponsored by Aon plc.
The 2017 Cyber Risk Transfer Comparison Global Report also found that organizations now believe that their cyber assets are more valuable than plant, property and equipment (PP&E) assets, even though they are spending four times more budget on insurance protecting the latter risks. The global survey was based on a consolidated sampling frame composed of 60,220 individuals in North America, Europe, the Middle East, Africa, Asia Pacific and Latin America. The final sample consisted of 2,168 surveys.
“This unique cyber study found a serious disconnect in risk management,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a privacy, data protection and information security research firm. “What’s interesting is that the majority of companies cover plant, property and equipment losses, insuring an average of 59 per cent and self-insuring 28 per cent,” Dr. Ponemon said in a press release from Aon. “Cyber is almost the opposite, as companies are insuring an average of 15 per cent and self-insuring 59 per cent.”
While the majority of surveyed respondents found that cyber insurance was “inadequate to meet the needs of their organization, too expensive and has too many exclusions,” 46% reported a data breach in the last two years, with an average financial impact of US$3.6 million. Based on data breaches and security exploits experienced by the surveyed organizations, the greatest threats are business process failures that caused disruption to business operations as well as cyberattacks that caused disruption to both business and IT operations, Aon said in the release. Looking ahead, 65% of organizations expect their cyber risk exposure to increase in the next two years.
“This study compared the relative insurance protection of certain tangible versus intangible assets,” added Kevin Kalinich, cyber/network global practice leader with Aon Risk Solutions. “We have found that most organizations spend multiples more premium for fire insurance, for example, than for cyber insurance, even though they state in their publicly disclosed documents that a majority of the organization’s value is attributed to intangible assets.”
Other findings included:
The impact of business disruption to cyber assets is 72% greater than to PP&E assets;
Organizations valued cyber assets 14% more than PP&E;
Quantification of probable maximum loss from cyber assets is 27% higher than from PP&E assets;
Sixty-three per cent of companies that experienced a data breach in the last two years are now “more concerned than before” about their cyber liability;
Eighty-two per cent of companies have access to cybersecurity forensic experts in the event of a data breach; and
Thirty-six per cent of respondents say their organizations do not have to disclose a material loss that is not covered by insurance in their financial statements, but if they do, 41% said they would include it in a footnote of a financial report.