Insurance against cyber attacks ‘vital’ say businesses but only 41% covered for both security breaches and data loss
One in 10 admit to no insurance cover at all, according to NTT Com Security Risk:Value report
London, UK; 14 April 2016 – While the majority of global organisations say that it is ‘vital’ their organisation is insured against information security breaches, less than half (41%) are fully covered for both security breaches and data loss and just over a third have dedicated cybersecurity insurance. This is according to the 2016 Risk:Value report looking at attitudes to cybersecurity and risk from NTT Com Security, the global information security and risk management company.
Research among 1,000 non-IT business decision makers in organisations in the UK, US, Germany, France, Sweden, Norway and Switzerland reveals that one in ten (12%) have no insurance cover at all for either eventuality. This is despite most business decision makers admitting that there is an increased cyber security threat, and that the cost of recovering from such an attack could start from around $1 million (£1.2m in the UK).
While cyber liability insurance has become increasingly popular and can include cover for data/privacy breaches, extortion liability and network security liability, only 35% of businesses currently see the need to take a policy out, although a further 43% are getting one or thinking about it. Businesses in the US are most likely to have this type of insurance – 51% compared to just 26% in the UK. Notably, wholesale organisations (43%) are most likely to take out dedicated cyber insurance, together with business/professional services (43%) and utilities companies (39%).
Less than half (46%) of those respondents whose organisation has company insurance that covers data loss or a breach, expect it to cover legal costs. Fewer expect it to cover regulatory fines (43%), government fines (41%) and remediation (41%). Covering loss of business and loss of IP (intellectual property) is even less likely, according to the report, at just 25%.
When it comes to the validity of insurance cover, half of respondents cite that lack of compliance with necessary security criteria could invalidate their insurance, while 46% feel that not complying with business policies could be a problem, and 43% point to the lack of an incident response plan.
“Faced with risks every day, it’s easy for organisations to look for quick-fix solutions rather than focusing on building a solid security and risk management strategy,” says Garry Sidaway, SVP Security Strategy & Alliances, NTT Com Security. “Rather than relying solely on an insurance policy to cover losses, businesses need a different game plan. Buy insurance by all means, but ensure that you can demonstrate that you have put controls in place to reduce your risks, and, what these controls cover – this way you know what is being insured. Being able to demonstrate that these controls are being tested and monitored is essential. Insurers need to know what they are insuring and the controls put in place to protect assets – this is the only way they can agree on cover.”
Garry Sidaway adds: “Security needs to be embedded into the culture of an organisation, from top to bottom, championed by the CEO, designed and executed by the CISO and communicated effectively so that every employee takes responsibility for ensuring that good practices are followed.”
Cyber insurance is a potentially huge market, and annual gross written premiums are estimated to grow from around $2.5 billion in 2015 to reach $7.5 billion by the end of the decade, according to “Insurance 2020 & beyond: Reaping the dividends of cyber resilience”, a report by PwC.
The NTT Risk:Value report also reveals that only around half (52%) of businesses have a full information security policy, while less than half (49%) have a disaster recovery plan in place.
The Risk:Value 2016 Executive Summary report can be downloaded here
Notes to editors – specific UK figures:
- 45% of UK respondents say they are covered for the financial impact of data loss and a security breach
- 21% of UK respondents are covered for data loss only and 7% are covered for a security breach only
- 9% of UK respondents are not covered for the financial impact of either data loss or a security breach
- 19% of UK respondents do not know whether or not they are covered (compared to 14% globally)
- Only 26% say their company has a dedicated cyber security insurance policy (compared to 35% globally)
- 38% of UK respondents are in the process of getting one (compared to 27% globally)
- 11% of UK respondents are thinking about getting one, while 7% have no plans to get one
- Of those respondents whose organisation has insurance cover for data loss and/or a security breach:
- Only 38% of UK respondents say their company insurance would cover the financial impact of legal costs from a security breach or information loss (compared to 46% globally)
- 22% say their company insurance would cover the financial impact of remediation from a security breach or data loss (compared to 41% globally)
- 16% say their company insurance would cover the financial impact of loss of IP (compared to 25%)
- Of all aspects listed, UK respondents feel lack of compliance had the highest chance of invalidating their company insurance (46%), followed by lack of an incident response plan (38%), poor physical security (37%) and lack of employee care/attention (33%).
*All of the above information was sourced from the NTT Com Security Risk:Value 2016 Report.
Commissioned by NTT Com Security the research was conducted by Vanson Bourne during October and November 2015 and launched in February 2016. 1,000 business decisions makers (not in IT) were surveyed in the US, UK and Germany (200 in each), and France, Sweden, Norway and Switzerland (100 in each). Organisations had more than 500 employees, but those in Norway, Sweden and Switzerland could come from organisations with at least 250 employees. There were a minimum number of responses from the financial services sector (at least 50 in UK, US, France & Germany and minimum of 30 in the other countries).
About NTT Com Security
NTT Com Security is a global information security and risk management organisation, which delivers a portfolio of managed security, business infrastructure, consulting and technology integration services through its WideAngle brand. NTT Com Security helps organizations lower their IT costs and increase the depth of IT security protection, risk management, compliance and service availability. NTT Com Security AG, is headquartered in Ismaning, Germany and part of the NTT Group, owned by NTT (Nippon Telegraph and Telephone Corporation), one of the largest telecommunications companies in the world. For more information, visit http://www.nttcomsecurity.com.