About 80% of companies are likely to suffer a data breach within 12 months, and while most of the associated costs will total less than $1 million, there’s a 5% chance the breach will cost the company $20 million or more.
Despite these frightening statistics, however, the vast majority of companies are significantly under-insured for cyber risk. In fact, companies are likelier to buy fire insurance than they are to buy a cyber policy, according to a new report from the research firm Ponemon Institute.
Researchers surveyed 2,243 company representatives in 37 countries on cyber risk and security. Of those, just one in five have a current cyber liability policy in place.
Much of that lack of market penetration has to do with ignorance surrounding cyber coverage. Many companies believe their general liability policies will cover cyber risk, while others mistakenly believe their companies are too small to be at risk of a data breach.
However, one other significant reason companies aren’t buying coverage is a lack of market capacity. According to Kevin Kalinich, leader of the global cyber risk practice for Aon Risk Solutions – which sponsored the Ponemon study – it is difficult to find policies with adequate limits.
“We are working with alternative markets because the traditional cyber insurance markets run out of capacity between US$200 million and US$300 million,” Kalinich said.
The limits of the admitted market’s capacity has been well canvassed by industry leaders. Just last month, AIG
CEO Peter Hancock made headlines by suggesting the amount of cyber liability coverage offered by carriers will only cover a fraction of the damages that occur during and after a data breach.
“The largest coverage I’m aware of is for a bank that has about US$400 million in coverage which is very small when you think about it,” said Hancock. “When you compare it to the amount of capacity that’s available for a complex chemical plant, refinery, offshore oil platform, the numbers are much, much higher.”
Hancock and others are hopeful, however, that as awareness of cyber risk increases, underwriters will start offering higher policy limits.
“The willingness of insurers and by others in the industry to provide greater capacity will increase with greater comfort in the maturity of the countermeasures,” Hancock said.