Despite believing that their plant, property and equipment are now less valuable than their cyber assets, most organization spend four times more on insurance protecting their physical plants, properties and equipment than they do their information-based assets.
The 2017 Cyber Risk Transfer Comparison Global Report, written by the Ponemon Institute and sponsored by Aon, notes that most organizations spend much more on fire insurance premiums than on cyber insurance even though the probability of any particular building burning down is significantly lower than one percent, and despite stating in their publicly disclosed documents that a majority of the organization’s value is attributed to intangible assets.
In fact, organizations valued cyber assets 14 percent more than PP&E assets yet they insure on average 59 percent of PP&E losses, compared to an average of 15 percent of cyber exposures.
The Ponemon/Aon report was released at this week’s 2017 RIMS Conference in Philadelphia.
“This unique cyber study found a serious disconnect in risk management,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. He said the majority of companies cover plant, property and equipment losses, insuring an average of 59 percent and self-insuring 28 percent. Cyber is almost the opposite, as companies are insuring an average of 15 percent and self-insuring 59 percent.
While the majority of surveyed respondents find that cyber insurance is inadequate to meet the needs of their organization, too expensive and has too many exclusions, 46 percent of respondents reported a data breach in the last two years with the average financial impact costing $3.6 million.
The report cites one recent example. In the sale of Yahoo, Verizon recently reduced the purchase price by $350 million because of the severity of cyber incidents in 2013 and 2014.
Based on data breaches and security exploits experienced by the surveyed organizations, the greatest threats are business process failures that caused disruption to business operations as well as cyber attacks that caused disruption to both business and IT operations.
Looking ahead, 65 percent of organizations expect their cyber risk exposure to increase in the next two years.
Aon’s 2017 Global Risk Management Survey also found that cyber risk is a top concern for most businesses in the U.S. and globally. As a result, many companies are implementing formal assessments to identify and measure their cyber risk. While this risk is being recognized as a significant threat, it is often not properly managed on a relative basis compared to other growing assets and risk. This is having an impact on many companies’ bottom lines, according to Aon.
Additional findings from the Ponemon/Aon report:
- The impact of business disruption to cyber assets is 72 percent greater than to property, plant and equipment (PP&E) assets
- Quantification of probable maximum loss from cyber assets is 27 percent higher than from PP&E
- Sixty-three percent of companies that experienced a data breach in the last two years are now more concerned than before about their cyber liability.
- Eighty-two percent of companies have access to cyber security forensic experts in the event of a data breach.
- Thirty-six percent of respondents say their organizations do not have to disclose a material loss that is not covered by insurance in their financial statements, but if they do, 41 percent of respondents say they would include it in a footnote of a financial report.
- Seventy-one percent of survey respondents are either somewhat or not at all aware of the economic and legal consequences of upcoming regulations, such as the European Union General Data Protection Regulation (GDPR).
Ponemon and Aon surveyed 2,168 individuals in North America, Europe, the Middle East, Africa, Asia Pacific, Japan and Latin America11 who are involved in their company’s cyber risk management as well as enterprise risk management activities. Most respondents are either in finance, treasury and accounting (32 percent of respondents) or risk management (26 percent of respondents). Other respondents are in corporate compliance/audit (14 percent of respondents) and general management (12 percent of respondents).
Cost of Breach
A 2015 RAND Corp. study found that the cost of a typical cyber breach to an American company is much less than has been generally estimated, providing one possible explanation for why companies do not invest more to improve computer security.
The typical cost of a breach is about $200,000 and most cyber events cost companies less than 0.4 percent of their annual revenues, the study found. The $200,000 cost is roughly equivalent to a typical company’s annual information security budget.
The RAND study estimate is a lot less than the estimate in a May 2014 report by the Ponemon Institute, which put a $3.5 million pricetag on an individual data breach. Ponemon surveyed 314 companies in 10 countries.
The RAND study, which was published in the Journal of Cybersecurity, is based on a private dataset of 12,000 cyber incidents compiled by Advisen, which provides information on corporate losses to the insurance industry.
A 2015 study of 160 cyber liability insurance claims by NetDiligence, a data breach services company, found that the average total claim for a breach was $673,767. But the cost varied greatly by company. The average claim for a large company was $4.8 million, while the average claim in the healthcare sector was $1.3 million.
- Cyber Risk Costs Not Big Enough to Spur Investment by Businesses
- Company Data Breach Now Costs $3.5M on Average: Ponemon Study
- Crisis Services Top Insurers’ Cyber Claims Payouts; Average Claim at $674K
- Concerns Over Cyber Security Risks Outweigh Traditional Risks for Large Firms: Ponemon Study
- 4 Cyber Risk Misconceptions Popular with Midsized Firms
- Cyber Insurance: Many Choices Now That There Is No Choice
- RIMS 2017: Why Cyber Should be Treated as Standalone Insurance
- Why Some Firms Don’t Buy Cyber Insurance: Hiscox Report