Most organizations lack cyber coverage, despite experiencing breaches or attacks

More than two-thirds of companies responding to a recent web survey say they do not have cyber insurance and of those who don’t, one in four cannot get insurance because of their risk profile.

That’s based on a survey report from Ponemon Institute LLC, titled Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age.

Fewer than half of respondents with cyber coverage said their policies cover third party liability and only about one in ten with cyber insurance had policies that cover attacks against business partners or others with access to their organization’s electronic data.

But of all respondents, 40% predicted the maximum financial exposure to their organization of security exploits and data breaches could be more than $100 million over the next two years.

The individuals surveyed – who were involved in their organizations’ cyber security risk mitigation and risk management activities — were asked whether their company has a cyber insurance policy or set of policies. Nearly one in three (31%) said yes and the other 69% said no.

The Ponemon Institute report was sponsored by Dublin-based Experian, whose services include managing data breaches. It was based on 638 responses to the survey.

Among the respondents whose organizations did not have cyber insurance policies, 57% of them said they “plan to purchase one in the future.”

When asked for the main reasons they do not have policies, more than half (52%) said premiums were too expensive. Multiple responses were permitted. Nearly half (44%) said policies had “too many exclusions, restrictions and uninsurable risks,” 38% said their P&C policies were sufficient, 26% said they are “unable to get insurance underwritten because of current risk profile” and 26% said “coverage is inadequate based on (their) exposure.”

Traverse City, Mich.-based Ponemon Institute does research on privacy, data protection and information security policy. In its report, released Aug. 7, the organization conducted a random sampling frame of 18,829 individuals and 1,957 respondents completed the survey. The final sample used was 638 surveys. Screening and reliability checks removed 319 surveys.

More than half (56%) of respondents said their organization had experienced a “material security exploit or data breach one or more times over the past 24 months.” Ponemon defined a  “material security exploit” as a cyber attack that

infiltrates the company’s networks or enterprise systems, while “material data breach” was defined as “one that results in the loss or theft of 1,000 or more records.”

Of those who experienced such an attack or breach, the average cost to their organization was $9.4 million. All figures are in U.S. currency. Respondents were asked to provide the “total financial impact of security exploits and data breaches,” including consultant and legal fees, indirect business costs such as productivity losses, diminished revenues, legal actions, customer turnover and reputation damages.

No respondents reported an impact of more than $100 million, while 2% reported an impact of $50 million to 100 million, 4% reported $25 million to $50 million, 17% reported $10 million to $25 million, 24% reported $5 million to $10 million and 19% reported $1 million to $5 million.

Nearly one in four (24%) of the 56% of respondents who had an attack or breach in the last two years said the financial impact was less than $1 million. Eight per cent reported an impact of $500,001 to $1 million, 9% reported $250,001 to $500,000, 4% reported $100,001 to $250,000, 2% reported $10,001 to $100,000 and 1% said the financial impact was less than $10,000.

However, when asked to predict their company’s “maximum financial exposure of security exploits and data breaches for the next 24 months,” the average estimate was about $163 million.

One in ten respondents said they “cannot determine” the maximum financial exposure, 8% predicted it could be more than $500 million, while 14% predicted it could be $250 million to $500 million.

Eighteen percent predicted it could be $100 million to $250 million; 17% predicted it could be $50 million to $100 million; 11% predicted it could be $25 million to $50 million; 7% predicted it could be $10 million to $25 million; 7% predicted it could be $5 million to $10 million; and 6% predicted it could be $1 million to $5 million, while only 2% predicted their maximum financial exposure could be less than $1 million.

Of those who had cyber policies, 30% said their organization had experienced a security exploit and/or data breach and submitted a claim for losses.

The survey respondents were also asked what type of incidents were covered by their cyber insurance policy, and more than one response was permitted. About three quarters (76%) said their policy covers human error, mistakes and negligence; 72% reported it covers external attacks by cyber criminals; 61% reported it covers system or business process failures; and 54% reported it covers malicious or criminal insiders.

Only 11% of respondents who had policies said those policies cover attacks against business partners, vendors or other third parties that have access to the company’s information assets.

When asked what protections or benefits are covered by their policies, 86% said they cover notification costs to data breach victims, 73% reported they cover legal defense costs, 64% reported they cover forensics and investigative costs, 48% reported they cover replacement of lost or damaged equipment and 46% reported they cover regulatory penalties and fines. Less than a third (30%) of respondents with cyber policies said those policies cover third party liability.

Ponemon Institute noted there are some limitations to web-based surveys.

“It is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument,” according to the report, which noted the accuracy is based, in part, on the degree to which the list is representative of individuals who are involved in their companies’ cyber security risk mitigation and risk management activities.”