What companies are getting wrong with cyberinsurance

Companies are waking up to the reality of breaches. They’re expensive. They’re painful. They’re probably going to happen to you sooner or later. 


But one thing companies aren’t quite getting about breaches: Those cyberinsurance policies they value so much may not be providing the right amount or kinds of protection. Two recent surveys provide more insight.

Dedicated policies aren’t common

The 2015 International Business Resiliency Survey by Marsh finds that while the C-level is engaged in cyberinsurance decisions, they might be confused by the specifics of the policies they’ve purchased.

The survey of 200 executives found 79% of respondents saying that reputation damage from a cyber breach would be both severe in impact and likely to happen. So many of the execs turned to cyberinsurance to help defray those costs:

  • 28% said they had dedicated cyber coverage against attacks, and
  • 21% said they had dedicated coverage for reputation damage.

That seems like a good step to take, until you realize that they may be overestimating their case. In fact, only 6% of risk managers said they have dedicated resources for these incidents. And with all due respect to the C-level, it’s likely risk managers would have a better picture of insurance coverage.

Market can’t support demand

In a separate survey by PricewaterhouseCoopers, executives reported even greater cyberinsurance coverage. Almost six-in-ten (59%) said they’d purchased cyberinsurance.

But according to PwC’s Joseph Nocera, the coverage they’re getting probably won’t cover as much as they might hope for. Nocera observes:

“Generally, businesses should understand that they won’t be able to insure the full risk of loss because the market just doesn’t have the supply yet. Looking at some of the big breaches that have occurred in the past year or so, many large firms are trying to get $80 to $100 million policies, while smaller companies are settling on $10 million policies … It’s also important to remember that no insurance products will protect a firm’s reputation or brand.”

And respondents also seemed keenly aware that many of the costs associated with a breach wouldn’t be covered by their cyberinsurance policies. They reported those policies covered:

  • personally identifiable information (47%)
  • payment card data (41%)
  • intellectual property/trade secrets (38%)
  • damage to brand reputation (36%), and
  • incident response (31%).

That’s a far cry from the total fallout from a cyber incident.

Know its limits

It very well may be the case that cyberinsurance will make a huge difference for your company if it ever faces a breach. But you’d be wise to know this tool’s limitations before you buy or renew a policy.

Be sure to investigate:

  • What’s covered. It may be less than you think or hope, and many of the biggest costs, such as providing customer credit monitoring or alerting affected customers.
  • What your role is. Cyberinsurance policies may require certain levels of protection from your company. There have been instances where insurers have been off the hook for damages because companies didn’t do enough to protect their systems.
  • Estimated damages. Breaches can costs millions. If your policy doesn’t cover enough, you might find yourself out of business regardless of insurance policies.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy