Only one-third of senior executives in UK organisations say that their company insurance currently covers them for a security breach and for the financial impact of data loss, according to a new report.
This is despite the fact that 81 percent agree that it is “vital” that their organisation is insured against information security breaches.
The findings are published in the latest Risk:Value report from NTT Security, which also reveals that less than one-third (29 percent) of firms have dedicated cybersecurity insurance in place.
The 2018 report, which looks at the attitudes of 1,800 senior non-IT decision makers worldwide to business risks and the value of information security, reveals that UK businesses would have to spend an average of £1 million to recover from a breach.
While the UK compares poorly to other markets like the US and Singapore when it comes to insuring against both information security breaches and data loss (53 percent of respondents in both cases), it still fares better than the Benelux region (27 percent) and the Nordics (23 percent in Sweden, 28 percent in Norway).
However, the UK ranks second from last for having dedicated cyber insurance, alongside Germany and just above the Benelux countries.
Just six percent of respondents in the UK say their company insurance only covers them for information security breaches, while 11 percent are covered only for data loss.
However, the fact that nearly half (45 percent) of those surveyed didn’t know if their company insurance covers either of these issues specifically is a major cause for concern, given that it is the highest figure for any of the countries in the report – and well above the global average of 23 percent.
Kai Grunwitz, senior VP EMEA at NTT Security, said: “With estimated annual losses from cyber crime now topping $400 billion (£291 billion) according to the Center for Strategic and International Studies, you would hope that more organisations would be beating a path to insurers’ doors.
“But while the insurance sector is certainly seeing growth in the number of policies being taken out to cover such losses, it’s an issue that many senior decision makers are just not on top of.”
According to industry figures, the number of insurers now offering cyber insurance via Lloyd’s of London has leapt to more than 70, nearly double the number a few years ago, while insurance giant Allianz predicts that global cyber insurance premiums will grow to $20 billion by 2025, up from around $3-4 billion at present.
According to the 2018 Risk:Value report, half of respondents in UK organisations believe that the failure to maintain or apply updates to existing IT systems would, or could, invalidate their company insurance, while 37 percent point to lack of compliance with regulations, such as the EU’s General Data Protection Regulation (GDPR), which came into force in May.
While 63 percent of respondents in the UK say they have an incident response plan in place, and another 18 percent are in the process of implementing one, 38 percent agree that lack of an incident response plan could or would also invalidate their company insurance.
Incident response is a basic requirement of best-practice security and is even more important with GDPR mandating 72-hour notifications following a breach.
GDPR and the NIS Directive both require organisations in one way or another to follow best practices in cybersecurity, threatening fines of up four percent of global annual turnover for non-compliance.
NTT Security’s Kai Grunwitz said, “While cyber risk insurance should be put in place to help mitigate the potential fallout of a data security breach, a policy must not be seen as a ‘get out of jail free’ card.
“Cyber insurance must be complementary to an effective risk-based information security strategy, not a replacement for it.
“You wouldn’t expect your house insurance provider to pay out if you were burgled when the doors and windows are left unlocked. So don’t expect a payout – or indeed an insurance policy – if you haven’t put in place the right processes and policies.”
Source: Press release.
Internet of Business says
The report was published separately from our own Internet of Insurance event, which is taking place in London today and tomorrow (4-5 September). Keep your eye on Internet of Business for exclusive coverage of keynotes and other presentations.
Our US version of the event takes place in Houston, Texas, on 26-27 September. Click the logo for more details.