Computing the Risk

A recent report on cyber risk by Ponemon Institute LLC should pique some interest among carriers and brokers, as well as anyone concerned about the ability of businesses and government agencies to operate in the event of a telecommunications or information systems breakdown.

There is a general awareness in the insurance industry that a significant number of organizations have no cyber insurance. But do industry professionals and the general public really understand why?

The Ponemon report – titled Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age and announced in August – was based on 638 responses to a survey of individuals involved in their organizations’ cyber security risk mitigation and risk management activities. Respondents were from both government and private-sector organizations.

The fact that 69% of respondents said their organizations did not have cyber insurance policies – or sets of policies – is probably old news to property and casualty professionals. More than half (52%) of the 69% of respondents without policies said the premiums were too expensive. That might also be old news, given that most companies operating in competitive markets probably encounter prospective clients objecting to price.

What may not be old news is that when respondents without cyber coverage were asked why they did not buy policies, 26% said they are “unable to get insurance underwritten because of current risk profile.” Also, 26% said “coverage is inadequate based on (their) exposure.” Multiple responses were allowed. When respondents without cyber coverage were asked why they do not have it, nearly half, or 44%, said such policies had “too many exclusions, restrictions and uninsurable risks.”

If the responses to Ponemon Institute’s survey are representative of the business community as a whole, then it seems that 18% of companies (26% of the 69% without coverage) could not qualify for cyber coverage – even if they wanted to buy it – because insurance carriers do not want to share their risk. Almost one in five respondents are unable to buy a policy that covers their exposure while nearly a third (44% of the 69% without coverage) seem reluctant to purchase the coverage available due to the policies’ exclusions and restrictions.

Cyber insurance is an emerging market, noted Michael Bruemmer, vice president at Experian Data Breach Resolution, which sponsored the Ponemon Institute survey. Bruemmer predicted that a year from now, more than 50% of companies will have cyber policies. He added that nearly two-thirds of the respondents surveyed indicated that “just by going through the process of applying for a cyber insurance policy, they felt better prepared.”

In the United States, Bruemmer said, carriers tend not to cover public sector organizations with a “high concentration” of personal information on individuals, distributed among multiple computer networks. He also suggested more companies are not only forming computer security incident response plans, but they are also becoming more sophisticated by practising their response plans. This way, he added, they are able to comply with the minimum criteria to qualify for coverage.

But are companies that now qualify for coverage eager to buy it?

When Ponemon asked those with cyber coverage what is covered, only 11% said their policies cover attacks against business partners, vendors or other third parties that have access to the company’s information assets.

Only about half – 54% – reported their policies cover malicious or criminal insiders. How many risk professionals really want those risks excluded from their organizations’ cyber policies?

On the one hand, customers should not blame underwriters if they are unwilling to bet their money on the security of policyholders’ business partners, or on the honesty of all of a policyholder’s employees. But on the other hand – as with any other line of insurance – it will not always be easy to sell a policy to a client whose main concerns are the risks that carriers are unwilling to cover.