76% of Organizations Have Cyber Risk Insurance – But How Does That Change Across the Globe?Data breaches and cyber-attacks continue to dominate headlines, so we can be sure that try as they might, many organizations can’t protect themselves sufficiently. Should the worst happen, are companies able to use cyber risk insurance to help them recover? Our survey of 500 companies across 11 countries shows some interesting results and attitudes on the subject.
More companies are investing in cyber risk insuranceLast year we surveyed companies in six countries, when we compare year on year results we can see that in those countries the percentage of organizations that have cyber risk insurance has gone up from 62% to 75%. Looking at individual countries there are some standout figures. In the UK the percentage of insured companies has leapt by 29% with 90% now investing in cyber risk insurance. The UK now has the highest levels of insurance across all countries surveyed. The USA saw a similar increase in insurance levels with 27% more organizations insured this year than last. By comparison countries in the Nordic regions have seen a slower uptake, Sweden only saw a 1% increase in the percentage of companies with cyber risk insurance and is the country with the lowest levels – just 57% have cyber risk insurance.
When we include the additional 5 countries, we surveyed for the first time this year 76% of organizations have some level of cyber risk insurance.
How much protection are organizations getting from their cyber risk insurance?Despite 76% of organizations having some cyber risk insurance in place, it’s telling that only half of those surveyed say their insurance covers them for all likely risks they could be insured for. It may be that in the balance of cost of insurance to coverage, it is not worth paying the extra needed to cover all likely risk. Alternatively, it could be that even if they want to be more fully insured those businesses that can’t articulate their relative risk to their insurers could find it difficult to get coverage.
Norwegian businesses are the most likely to have insurance that covers them for all likely risks; 63% say they are covered for all likely risk and just 13% say they only have partial coverage. The UK with its overall insurance rate of 90% has relatively few with comprehensive cover, only - 37% say it covers them for all likely risk.
What do organizations think about the premiums charged?Globally only 34% believe that their premiums are based on an assessment of their business that accurately reflects their risk. US companies were the most sceptical, with only 26 % believing a fair assessment has been done, which contrasts with India where 44% felt the assessment was accurate.
While it may be tempting to say that cyber risk insurers are either unfair or don’t provide enough clarity on how they set premiums, another question in the survey provides insight that offers a contrary view. While organizations may not believe that insurers can assess them fairly it’s almost certainly true that most businesses struggle to assess themselves. We asked respondents how cyber-ready they were compared to their competitors; 37% say they are better than average for their industry and 39% say they are a recognized top-performer in their industry.
How much this lack of clarity is due to the way insurers set and communicate premiums, and how much is caused by the rosy view companies take of their own cybersecurity posture is unclear. What is likely is that a lack of objective and agreed measurement and difficulties in articulating relative risk is affecting all concerned.
Ovum conducted the survey for FICO through telephone interviews with 500 senior executives, mostly from the IT function for more information there are e-books available for each country surveyed:http://securityscore.fico.com