While the majority of global organisations say that it’s now ‘vital’ their operations are insured against information security breaches, less than half (41%) are fully covered for both security breaches and data loss, while just over a third have dedicated cyber security insurance in place. These are the findings of the 2016 Risk:Value report produced by NTT Com Security, the global information security and risk management company, which examines business’ present attitudes towards cyber security and risk.
Research conducted among no less than 1,000 non-IT business decision-makers representing organisations across the UK, the US, Germany, France, Sweden, Norway and Switzerland reveals that one-in-ten (12%) have no insurance cover at all for either eventuality. This is despite the fact that most business decision-makers admit there’s now an increased cyber security threat, and that the cost of an organisation recovering from an attack in the digital realm could start from the ball park figure of around £1.2 million.
While cyber liability insurance has become increasingly popular and might include cover for data/privacy breaches, extortion liability and network security liability, only 35% of businesses currently see the need to take out a policy, although a further 43% are now in the process of organising one (or at the very least thinking about doing so).
Businesses in the US are most likely to have this type of insurance in place (51% compared to just 26% in the UK). Notably, wholesale organisations (43%) are most likely to take out dedicated cyber insurance, together with business/professional services operations (43%) and utilities companies (39%).
Less than half (46%) of those respondents whose organisation has company insurance that covers data loss or a breach expect it to cover legal costs as well. Even fewer expect such insurance to cover regulatory fines (43%), Government fines (41%) and remediation (41%).
Covering loss of business and the loss of intellectual property is even less likely, according to the report, and stands at just 25%.
When it comes to the validity of insurance cover, half of respondents to the NTT Com Security survey cite that lack of compliance with necessary security criteria could invalidate their insurance, while 46% feel that not complying with business policies might be a problem. Some 43% point towards the lack of an incident response plan.
Security and risk management strategies
“Faced with risks every day, it’s easy for organisations to look towards quick-fix solutions rather than focusing on building a solid security and risk management strategy,” asserted Garry Sidaway, senior vice-president for security strategy and alliances at NTT Com Security.
“Rather than relying solely on an insurance policy to cover losses, businesses need a different game plan. Buy insurance by all means, but ensure you can demonstrate that you have put controls in place to reduce your risks, and outline what these controls cover. That way, you know what’s being insured. Being able to demonstrate that such controls are tested and monitored is also essential. Insurers need to know what they’re actually insuring and the controls put in place to protect business assets. This is the only way they can agree on cover.”
Sidaway added: “Security needs to be embedded within the culture of an organisation from top to bottom. It must be actively championed by the CEO, designed and executed by the CISO and communicated effectively such that every employee takes responsibility for ensuring that good practices are followed.”
Cyber insurance is a potentially huge market. According to a report produced by PwC, annual gross written premiums are estimated to grow from around $2.5 billion in 2015 to reach $7.5 billion by the end of the decade.
The NTT Risk:Value report also reveals that only around half (52%) of businesses have a full information security policy in place, while less than half (49%) have a dedicated disaster recovery plan in place.
Specific results among UK organisations
*45% of UK respondents say they’re covered for the financial impact of data loss and a security breach
*21% of UK respondents are covered for data loss only and 7% for a security breach only
*9% of UK respondents are not covered for the financial impact of either data loss or a security breach
*19% of UK respondents don’t know whether or not their business is covered (compared to 14% globally)
*Only 26% say their company has a dedicated cyber security insurance policy in place (compared to 35% globally)
*38% of UK respondents are in the process of developing such a policy (compared to 27% globally)
*11% of UK respondents are thinking about developing a policy, while 7% presently have no plans to do so
Of those respondents whose organisation has insurance cover in place for data loss and/or a security breach:
*Only 38% of UK respondents say their company insurance would cover the financial impact of legal costs from a security breach or information loss (compared to 46% globally)
*22% state that their company insurance would cover the financial impact of remediation from a security breach or data loss (compared to 41% globally)
*16% suggest that their company insurance would cover the financial impact of the loss of Intellectual Property (compared to 25% on the global stage)
Finally, of all those aspects listed, UK respondents feel that lack of compliance has the highest chance of invalidating their company insurance (46%), followed by the lack of an incident response plan (38%), poor physical security (37%) and the lack of employee care/attention (33%).
Background to the survey
Commissioned by NTT Com Security, the research was conducted by Vanson Bourne during October and November 2015 and launched in February this year.
1,000 business decisions-makers (not in IT) were surveyed in the US, the UK and Germany (200 in each) and France, Sweden, Norway and Switzerland (100 in each).
Organisations had more than 500 employees, but those in Norway, Sweden and Switzerland could come from organisations with at least 250 employees.
There were a minimum number of responses from the financial services sector (at least 50 in the UK, the US, France and Germany and a minimum of 30 in the other countries listed).
The Risk:Value 2016 report’s Executive Summary can be downloaded here