Here in the United States, there are two types of insurance that we need the most: Medical Insurance, and of course, Car Insurance. There are many other types of insurance that we need as well, depending of course on your own needs, and if you have a business. If it is the latter, your insurance needs will be much higher. Now, there is a new type of insurance which will soon be needed no matter what – that of Cyber security insurance.
Although this is meant to protect businesses and corporations financially from a Cyber attack and data loss that follows, individuals may soon be needing this themselves in order to protect their own personal information and data. This would be similar to sort of Identity Theft insurance. But however, as much as entities are realizing that they are at risk for a Cyber attack more then ever before, few are still realizing the importance of having Cyber security insurance.
According to the Risk:Value report from NTT Security:
*Only 30% of organizations have an actual Cyber security insurance plan in place;
*81% of C-Level Execs admit that having this insurance is vital (even though they do not have it in place yet);
*Only 6% of businesses have just enough insurance to cover information security breaches;
*Only 11% are covered for any sort of data loss;
*Over 50% of the C-Level Execs surveyed do not even know if they have any Cyber security insurance at all, and if they do, they do not know what it even covers.
It is important to note that this survey was conducted on companies in the United Kingdom only, there were no US organizations that were polled. But, despite these dismal numbers just revealed, the UK actually ranks about in the middle of the pack for companies having Cyber security insurance. Here are the stats on that:
*The United States at 53%;
*Singapore at 53%;
*Belgium at 27%;
*Norway at 23%;
*Sweden at 28%;
*Germany at 29%.
In fact, it costs the average UK business well over 1 Million pounds (that is almost $1.3 Million here in the United States).
Other alarming stats from this survey:
*50% of companies do not even follow their own Security Policies when it comes deploying the latest software upgrades and patches;
*37% of organizations do not even come into compliance with UK based Legislations and Mandates;
*38% of companies do not even have a Disaster Recovery plan in place;
*16% of organizations claim to be working on a Backup/Recovery plan.
Again, these are companies that have been surveyed in the United Kingdom only.
Realizing this, the UK government has imposed some very stiff penalties on UK businesses and corporations if they do not come into compliance. For instance, the fines could be as 17 Million Pounds (which is almost $22 Million) , or 4% of net profit from the bottom line.
But all the while, although many UK do not have Cyber security insurance, it is now a booming business over there. For example, Lloyd’s of London is the leading Cyber insurer while Allianz predicts that global Cyber security insurance premiums will grow to $20 Billion by 2025, up from around $3-4b Billion, which are the current levels.
But just because your business has Cyber Security insurance does not guarantee a payout in case you are hit. You have to have everything in place as well from a Security standpoint, which includes having Disaster and Backup Recovery plans, the right controls, etc.
My thoughts on this?
I am actually quite surprised to see that the United States actually fares better than the UK when it comes to its business entities having Cyber security insurance. So, this survey is a bit of a surprise to me. Although not defending these companies, I can see why this is such an under rated topic.
The time for a C-Level Exec or even an IT Manager is at a premium, so trying to comb through and procure a policy can be a real pain.
Also, there is the fallacy that just because you have a well trained IT staff and the latest Security technologies in place, that all is well in safe. While this might be true in the short term, it is the long term that is often forgotten about.
This is usually when the investigations as to what happened start, insurance claims are filed, customers are advised on they should do, etc.
Remember, Cyber security insurance is long term need, and will soon be of grave importance along with the technology, people and communications processes that you have in place. I myself do not know much about Cyber security insurance, but promise to look into this more and write a blog or two on the details of it.