As details of more cyberattacks emerge, and the threat of attacks continues to grow, companies take more steps to improve cybersecurity. For example, companies increasingly work to engage and educate employees, and bolster anti-virus, password management and network security strength.
Some companies are also working to secure their cloud and better manage their backups to protect against so-called “ransomware” attacks. In this type of attack, hackers find a company’s critical data and then encrypt it—thereby digitally locking the owners out because only the person with the digital “key” can unlock and access that data. The hackers then offer the victim access to the “key” for a “ransom.” An organization under such an attack can either restore the locked data from a recent backup or pay the ransom.
I was interested to learn about the results of a recent survey by the Risk and Insurance Management Society (RIMS) and how survey respondents’ perspective on cybersecurity insurance is changing. It found that 80 percent of the respondents said their company bought a standalone cybersecurity policy in 2016, an article in CFO reports. As RIMS explains, policies covering cyber exposures exclusively are now the norm for many large companies.
The annual RIMS cyber survey polled 272 respondents (from companies with more than 1,000 employees and an estimated annual revenue of more than $1 billion) on issues such as exposure concerns, first-party and third-party risk, and government regulations. Almost 70 percent of the respondents said their company now transfers risk of cyber exposure to a third party. Interestingly, 24 percent of the survey respondents said their companies will spend more than $1 million on cybersecurity protections, including active monitoring and employee education, by year-end.
“Failure to keep pace with technological advancements will leave an organization at a terrible disadvantage,” says Julie Pemberton, president of RIMS and director of enterprise risk and insurance management for Outerwall Inc. “Embracing technology has enabled organizations to strengthen their performance but at the same time, it has created many new exposures which risk management must address.”
Survey respondents said they are most worried about reputational harm (cited by 82 percent of the respondents), notification costs (76 percent) and business interruptions caused by both network outages (76 percent) and data loss (75 percent) resulting from cyber breaches. Cyber extortions (63 percent) and the theft of trade secrets or intellectual property (42 percent) are also concerns.
Tellingly, the purchase of standalone cybersecurity policies increased 29 percent over the previous year. That’s thanks, in part, to more versatile insurance packages, says Emily Cummins, a member of the RIMS board of directors.
“The take-up rate increases as more people are educated in the space,” says Cummins, who is also the managing director of tax and risk management for the National Rifle Association. “As insurance suites become increasingly available, more and more companies want to procure a plan that can fit their own unique needs.”
Companies with large supply chains may be pressuring vendors to invest in more robust cybersecurity programs, driving at least part of the growth in the sector, Cummins says. For example, 25 percent of the respondents said their company bought standalone insurance because of contractual obligations with other companies, a 17 percent increase from 2015.
“The strength of an insurance marketplace is determined by how effectively insurers can respond to the needs of the buyers,” Cummins says. “The evolution of products that are specific to individual companies has been really impressive.”
What are your thoughts on insurance in case of cyberattack? Does your organization have such a policy?