We recently commissioned a study from independent research company Ovum on how organizations are tackling cybersecurity and what they plan to do next. Losses because of a data breach or other cyberattack can be severe, particularly when factors such as customer and shareholder confidence are taken into account. We therefore expected that cyber risk insurance would be an increasingly important way in which organizations are mitigating their risk.
The results were far from uniform:
- The UK was the most insured country we surveyed, with 69% of respondents holding some kind of insurance, and the USA was the least insured – only 51% of US respondents had any kind of cyber risk insurance.
- Across the industries surveyed, financial services firms were the most likely to be insured (71%), and healthcare the least likely (26 percent).
- Even when businesses have invested in cyber risk insurance, it’s unlikely to cover them for all likely risks.
We dug a little deeper into the attitudes of our respondents to try to uncover why under insurance might occur. Three explanation emerged – each is playing a part:
- They have limited investment in cybersecurity. 60% of those interviewed have seen an increase in attacks in the past year and 62% expect the overall level of threat from cyber-attacks and data breaches to increase in the coming year. Many respondents are also facing more consequences should they lose customer data, with legislation such as General Data Protection Regulation (GDPR) massively increases the fines that can be imposed. Even so, less than half (48%) expect spending on cybersecurity to increase in the coming year. While it is encouraging to see 23% are looking to invest in cyber-risk insurance, the pressure on finances may mean that they actually can’t afford to do this – or they can only take out insurance to cover the most obvious threats.
- They think it won’t happen to them. We asked respondents how cyber-ready they thought their business was compared to their competitors. 60% think they are above average or top performers, while only 6% think they are below average - this is statistically unlikely. With an unrealistic view on how well they are doing, it’s probable that they don’t appreciate their true risk and therefore don’t see the need for comprehensive insurance cover. It seems that many don’t have the ability to make objective judgements about their cybersecurity risk. This becomes evident when we look at how they benchmark their cybersecurity status; 38% use their own benchmarks and criteria and 6% don’t carry out measurable assessments.
- They are unclear on how premiums are set. Businesses that invest in cybersecurity want to understand what they are paying for and the value it delivers. For cyber risk insurance, this means not only understanding what the policy covers but also having confidence that the premiums charged accurately reflect risk. Only 23% believe that pricing from insurance companies is clear and transparent. 23% believe the insurance assessment for their business isn’t accurate, 19% say their premiums are based just on industry averages and 5% don’t understand how their business is assessed for cyber risk insurance.
Risk Measure Is Key to Cybersecurity InsuranceUltimately, the part cyber risk insurance can play is dependent on a measurement of risk that both the insurer and insured can agree on. In this way businesses, are less likely to over-estimate their cyber-readiness and can build a trusted relationship with insurers based on a common understanding of the cover they need.
We have developed the FICO Enterprise Security Score to help businesses objectively assess their own cybersecurity status, as well as that of third parties. FICO Enterprise Security Score accesses billions of external data points at internet scale, and compares the subject’s cybersecurity posture to the pre-breach status of known attacks. Applying our analytics to this data gives an empirically derived score, so that:
- Businesses have an objective measure of their cybersecurity status.
- Insurers can score organizations to determine risk and set fair and competitive premiums.
- Insurers can understand the risk across their customer portfolio.