The cost of a single data breach, ransomware attack or other security incident can adversely impact the most solid financial balance sheet. The growing threat from sophisticated cybercriminals targeting organizations of all sizes elevates cybersecurity insurance from an IT security concern to a critical business priority, demanding the attention of senior leadership and boards of directors. But what are the limitations of these cybersecurity policies and what are the benefits and hurdles to purchasing a policy that protects organizations? In the event of a cyberattack, how satisfied are organizations with their insurers’ response? Sponsored by Recast Software, the purpose of this research is to address these questions and help organizations prepare for the purchase of insurance.
It’s about the money. Respondents do not expect any decrease in cyber risks targeting their organizations. Instead, according to 75 percent of respondents, their organizations’ exposure will increase (47 percent) or at best stay the same (28 percent). As cyberattacks increase in severity and sophistication, the potential for a significant financial consequence is becoming more likely. According to 61 percent of respondents, the average total financial impact of all security exploits and data breaches experienced by their organizations since purchasing insurance averaged $21 million.
The top two reasons for purchasing insurance are the increasing number of cybersecurity incidents (41 percent of respondents) and concerns about the financial impact (40 percent of respondents). According to the research, 65 percent of respondents say their organizations are purchasing limits between $6 million to more than $100 million. However, 50 percent of respondents say it is difficult to comply with insurers’ requirements. More than 51 percent of respondents say insurers require regular scanning for vulnerabilities that need to be patched.
Ponemon Institute surveyed 631 IT and IT security practitioners in the United States who are familiar with cyber risks facing their companies and have knowledge about their organizations’ use of cybersecurity insurance. Seventy-six percent of respondents say their organizations have completed the purchase and 24 percent of respondents say their organizations are in the process.
In this section, we provide an analysis of the research. The complete findings are presented in the Appendix of this report. The report is organized according to the following topics.
- What keeps organizations’ IT security posture from being strong?
- How helpful is cybersecurity insurance in protecting organizations from adverse financial consequences?
- Dealing with the hurdles organizations face when purchasing cybersecurity insurance
What keeps organizations’ IT security posture from being strong?
Technology and governance challenges are affecting the ability to improve organizations’ security posture. Less than half (49 percent) of respondents rate their IT security posture in terms of its effectiveness at mitigating risks, vulnerabilities and attacks across the enterprise as very effective. The primary reasons are the ineffectiveness of security technologies and the complexity of the IT security environment.
Other challenges that need to be addressed are having a complete inventory of third parties with access to their sensitive and confidential data, keeping senior management up to date about threats facing their organizations and convincing management that cyberattacks are a significant risk.
Understanding the level of cyber risk is important because organizations realize cyber threats are not decreasing. Sixty-three percent of respondents say they assess the level of cyber risk to their organizations. According to 75 percent of respondents, cyber risks will increase (47 percent) or stay the same (28 percent).
The internal assessments are informal (23 percent) or formal (21 percent). However, 37 percent of respondents say their organizations do not do any type of assessment (21 percent) or rely on intuition of gut feel (16 percent). Only 19 percent hire an independent third party to conduct the assessment.
How helpful is cybersecurity insurance in protecting organizations from adverse financial consequences?
Cybersecurity insurance can improve organizations’ security posture. As reported, 76 percent of respondents have completed the purchase of cyber insurance. On average, these organizations have held their policies for two years, which gives them an understanding of the benefits and effectiveness of cyber insurance.
Almost half (49 percent) of respondents say following the purchase of cybersecurity insurance their cybersecurity posture improved greatly or significantly. However, 48 percent of these respondents changed insurance companies. The primary reasons for the change were the cancellation of the policy or the high expense.
Since purchasing cybersecurity insurance, the threats to organizations did not decrease. While only 27 percent of respondents say cyberattacks have increased and only 17 percent of respondents say their IT security costs have increased, 45 and 44 percent of respondents say cyberattacks and IT security costs have stayed the same.
Forty-three percent of respondents say cyber insurance coverage is sufficient with respect to coverage terms and conditions, exclusions, retentions, limits and insurance carrier financial security. Sixty-seven percent of respondents are extremely satisfied (23 percent), very satisfied (21 percent) or satisfied (23 percent) with coverage.
The financial consequences of all security exploits and data breaches experienced since the purchase of insurance averages $21 million, which includes all costs including out-of-pocket expenditures such as ransomware, consultant and legal fees, indirect business costs such as productivity losses, diminished revenues, legal actions, customer turnover and reputation damage. Sixty-one percent of respondents experienced a significantly disruptive security exploit or data breach since the purchase of cybersecurity insurance.
Fifty-three percent of respondents say their organizations filed a claim following the incident and an average of 46 percent of the losses were covered or approximately $9.7 million. When asked how satisfied their organizations were with the insurance company’s response to the claim, less than half (46 percent of respondents) were very or highly satisfied with the response.
And 65 percent of respondents say their organizations have experienced cyberattacks such as ransomware or denial of service and 61 percent of respondents say cyberattacks have resulted in the misuse or theft of business confidential information, such as intellectual properties.
Dealing with the hurdles organizations face when purchasing cybersecurity insurance
Insurance companies’ assessment of organizations’ security posture is mainly focused on the existence of an adequate budget. Only half (50 percent) of respondents say the insurance company assesses their security posture. If they do, it is to determine if there is adequate budget (65 percent of respondents). Other factors included are evidence of security and training programs conducted (52 percent of respondents), effectiveness of incident response team (45 percent of respondents) and ability to detect and prevent cyberattacks (45 percent of respondents).
To read the rest of this report, visit the ReCastSoftware.com website