In a recent study, The Ponemon Institute looked at an emerging strategy for mitigating cyber security risks: insurance policies. Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age (available for download with registration) found that 31 percent of its sample of risk managers and executives in a range of small and enterprise-size companies reported that they have “cyber risk” insurance.
Given the potential losses attached to cyber data breaches, internal malicious conduct and other cyber threats (an average cost of $188 per lost or stolen record, according to Ponemon’s 2013 Cost of Data Breach study), on one hand that percentage could be characterized as low. But given the limitations of these types of policies at this point, it could also easily be characterized as high. An additional 39 percent of respondents plan to purchase a cyber risk insurance policy.
Those companies that hold these policies reported to Ponemon that the process of meeting policy requirements created a stronger total security posture, and satisfaction with the policies runs high. Forty-four percent said they were extremely likely to recommend their provider. Thirty percent have submitted a claim on their policy.
According to Ponemon:
“The primary types of incidents covered include human error, mistakes and negligence followed by external attacks by cyber criminals, system or business process failures and malicious or criminal insiders. Only 11 percent of respondents say their policies cover attacks against business partners, vendors or other third parties that have access to their company’s information assets.”
Insurers can offer coverage for quantifiable costs of data breaches, up to and including analysis, costs of alerting customers and litigation costs. Less quantifiable areas such as brand damage may not be covered. Providers are also moving toward adding crisis management services for clients that may not have a dedicated risk manager, according to a piece in the Wall Street Journal.
And the policies are not limited to coverage for data loss or other data-centered risks. Other cyber risk coverage is becoming more available for system outages, both internal and within partners and third parties.