Companies now rank cyber security risks as greater than natural disasters and other major business risks, according to a new Ponemon Institute study. While only 31 percent of companies are insured today, there are a growing number of companies exploring policies. This indicates a larger appetite for financial protection in the wake of a breach.
Companies surveyed acknowledged the potential financial impact associated with security breaches. Of the 56 percent that had breaches, they reported an average cost of these incidents as $9.4 million in the last 24 months.
However, these costs are only a fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to cyber incidents.
Data breaches impact more than IT teamsWith the rapid increase in the threat landscape and the number of data breaches, concerns over how to manage them have moved beyond corporate IT teams to other major parts of organizations.
Many companies realize that security incidents create significant financial risks that must be managed like other major business risks. In fact, respondents quantified the average potential maximum financial risk of a data breach at $163 million, with some projecting more than $500 million in damages.
- Security exploits are greater than or equal to a natural disaster, business interruption, fire, etc., according to 76 percent of respondents.
- On average, respondents say there is a nine percent likelihood that their company will experience the predicted maximum financial impact during a data breach. This is a small but significant number when compared with other areas that are regularly insured.
Most companies are increasingly looking to cyber insurance as part of the solution for managing the risk posed by security incidents to accompany technical protections. Not surprisingly, the study found that the likelihood of a company considering a policy increases after experiencing an incident.
- Thirty-one percent of companies report current cyber insurance coverage, and survey results show growth on the horizon. In fact, 39 percent of respondents say their organization plans to purchase a policy.
- Additionally, more than half with a policy believe it is an essential part of their companies’ risk management programs.
Despite the increased interest in cyber insurance, there are some companies that still are skeptical about policies and restrictions. Thirty percent noted they do not plan on purchasing cyber insurance.
- Those without a policy noted that price is a roadblock for purchasing. Respondents also said that policy conditions that include excessive exclusions, restrictions and uninsurable risks inhibit their organization from purchasing a policy.
- However, of those with insurance, 62 percent believe the premiums are fair given the nature of the risk.
The evolution of how to prepare for and manage security exploits will continue to advance. The study indicates more and more interest and adoption of cyber insurance policies as a means to mitigate the impact of an exploit.
“Companies worry about the financial impact following a data breach,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Cyber insurance could be an important part of a risk management strategy to protect against potentially severe financial losses.”