Cyber-insurance has been an interesting topic relating to enterprise risk management and cyber security since as long as I can remember - back when the first mass email and Internet attacks started to hit in 1998 and 2000.
In those days, IT security was in its Cambrian Period, as IT generally was exploding from the relative safe confines of highly delineated local- and wide-area networks to the Web. There was actually a perimeter in those days. But as IT was opening itself up to customers, suppliers, partners - the world, really - IT security tools and technologies were still in their infancy.
It was just not possible for insurers to calculate the risk, or even judge the maturity of an IT security program. It was all just too new, and I detailed some of this way back in 2002 in the story Insuring Against Cybercrime Gets Tougher.
From that 2002 story:
Sept. 11 took a huge toll on the insurance industry, which will pay out $50 billion as a result of the terrorist attacks. Now, insurers have drawn a line in the sand. "They want to make it clear that losses stemming from denial of service, viruses, and intellectual property violations aren't covered by standard policies," Hartwig says.
Supplemental policies, which cover viruses, security breaches, and denial-of-service attacks, can range from 2% to 8% of the overall premium's cost, says Michael Lamprecht, national practice leader of E-insurance for broker Arthur J. Gallagher. The coverage also often requires an audit of security systems and policies, which can range in price from $4,500 to $50,000.
Another interesting sentiment during that time was that many businesses - especially small and mid-sized businesses - just didn’t think they’d be targeted by hackers.
It’d be tough to find someone who works in IT who holds that viewpoint today.
Still, I wasn’t surprised to read that Most Companies Remain Uninsured For Cyberattacks today. The finding is based on a Ponemon Institute study that looked into how organizations currently view cybersecurity insurance and risks.
Interestingly, the study found that organizations view the potential damage of cyber attacks to be as high as those caused by natural disasters. Still, only 31% of enterprises hold cybersecurity insurance today, but many more say they’re considering it.
Here are some findings from the report:
-- Security exploits are greater than or equal to a natural disaster, business interruption, fire, etc., according to 76% of respondents.
-- On average, respondents say there is a 9% likelihood that their company will experience the predicted maximum financial impact ($163 million) during a data breach. This is a small but significant number when compared with their areas that are regularly insured.
-- In addition to the 31% that hold the insurance, 39% more say their organization plans to purchase a policy.
-- Additionally, more than half with a policy believe it is an essential part of their companies' risk management programs.
A number of interesting findings, to be sure. Certainly, I can’t equate the vast majority of IT security events or breaches with natural disasters, or business interruptions such as those caused by 9/11, as someone who has interviewed IT leaders from businesses initially shut down from the 9/11 attacks, as well as those who fought to recover form numerous tornadoes, hurricanes, and floods.
It’s hard to see the equivalent in destruction and loss of access to infrastructure and the ability to recover, especially when managers and team members are scattered, without the ability to communicate, or perhaps injured or killed in the event, and without power and without the ability to freely travel or perhaps even access all of their systems.
Perhaps others see it differently, but I wonder how many actually helped to guide their enterprises through a natural disaster or serious physical disruptive event.
Regardless, many firms today see cybersecurity insurance as a viable addition to their risk management strategy.
How do you, or your organization, see this form of insurance?