[BreachExchange] Cyber Insurance Purchasing Slowing After 6 Years of Fast Growth

Wed Nov 2 10:41:54 EDT 2016

http://www.insurancejournal.com/news/national/2016/11/01/431029.htm

The overall upward trend of organizations purchasing cyber insurance
continued in 2016, however there are signs the market is slowing after six
years of rapid growth.

A 2016 Zurich Insurance-Advisen survey shows that over the last six years,
the proportion of companies buying cyber insurance has increased by 85
percent, up from 35 percent of companies purchasing coverage in 2011 to 65
percent in 2016.  However, the proportion of companies buying in 2016 was
up only seven percent from 2015. This compares to an 18 percent increase in
2015 over 2014.

Businesses within personal data-driven industries such as health care,
finance and banking, retail and communications industries view cyber risk
more seriously, have more robust cyber security and risk management
strategies, and are more likely to purchase a security and privacy
insurance, according to the survey. Seventy-six percent of respondents from
personal data driven industries view cyber risk as a significant threat as
opposed to 55 percent from non-data-driven industries.  In addition, 78
percent of respondents from personal data- driven industries purchase
security and privacy insurance, compared with only 59 percent from all
other industries.

Over the six years of this study, the cyber risk awareness of businesses
outside the personal data- driven industry segment has grown, but the
authors note there are still some companies that believe their exposure is
minimal. For example, the top reason respondents do not purchase a cyber
policy is they believe their organization is not susceptible to a
cyber-related loss.

“The nature of data security has changed immensely in the six years we have
worked on this survey with Advisen,” said Bryan Salvatore, president of
Specialty Products for Zurich North America. “This year’s results continue
to mark the evolving views of risk professionals, C-suite executives and
boards and reveal a shifting approach to information security and cyber
risk management.

Salvatore said that industries handling personal data have developed a
“good understanding” of the risks associated with potential security
breaches, however there is “more work to do” to help other industries
better understand the risks they face and how best to protect themselves.

The survey reflects responses from 345 U.S.-based risk managers, insurance
buyers and other risk professionals covering both large and small companies.

C-suite Attitudes

Eighty-five percent of C-suite executives view cyber security as a
significant threat, which is 27 points higher than the first survey in 2011
when only 58 percent of respondents indicated that their C-suites
executives considered it as such. The results show that most businesses
have implemented at least some pre-breach risk management activities.

Businesses are recognizing the additional threat of engineering tactics
such as phishing and spear phishing emails to employees, with 50 percent of
respondents indicating that employees unintentionally infecting their
network with malware was a high or extremely high risk and the top concern
of survey respondents.  But even with a high level of concern about the
“human element,” the survey shows that approximately 21 percent of
respondents say they still do not have an employee education program in
place.

Other findings include:

Eighty-seven percent of respondents believe a technology interruption would
have a moderate- to- significant impact on their business. Still, 13
percent do not see technology interruption as even having a moderate risk.
For the first time in the six years of this study, general counsel has
surpassed information technology (IT) as the department most frequently
responsible for assuring compliance with all applicable federal, state, or
local privacy laws, including state breach notification laws.
Most companies surveyed (97 percent) clearly recognize the importance of
collaboration between their risk management and information technology (IT)
departments on issues related to cyber security.
Costs related to a breach of customer/personal information is the leading
reason for purchasing security and privacy insurance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161102/73bd104b/attachment.html>