Businesses are beginning to rank cyber-security risks as greater than natural disasters and other major business risks, and while only 31 percent of companies are insured against data breaches, a growing number of companies are exploring policies, according to the findings of a survey by Experian Data Breach Resolution and the Ponemon Institute.
Security exploits are greater than or equal to a natural disaster, business interruption, fire or other disaster, according to 76 percent of respondents. However, on average, respondents say there is a 9 percent likelihood that their companies will experience the predicted maximum financial impact during a data breach.
"Companies worry about the financial impact following a data breach," Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. "Cyber-insurance could be an important part of a risk management strategy to protect against potentially severe financial losses."
Respondents quantified the average potential maximum financial risk of a data breach at $163 million, with some projecting more than $500 million in damages. Of the 56 percent that had breaches, they reported an average cost of these incidents as $9.4 million in the last 24 months.
"We are reaching a tipping point where the majority of companies we surveyed now rank cyber-security risks as high as other major insurable business risks," Michael Bruemmer, vice president at Experian Data Breach Resolution, said in a statement. "We anticipate that demand for cyber-security insurance is likely to increase in response to evolving breach response policies."
The study found that the likelihood of a company considering a policy increases after it experiences an incident. Just under a third (31 percent) of companies reported current cyber-insurance coverage, and survey results suggested growth on the horizon, with 39 percent of respondents saying their organization plans to purchase a policy.
Those without a policy noted that price is a roadblock for purchasing. Respondents also said that policy conditions that include excessive exclusions, restrictions and uninsurable risks inhibit their organization from purchasing a policy. However, of those with insurance, 62 percent believe the premiums are fair, given the nature of the risk.
Of those with a policy, 30 percent have experienced an exploit or a data breach and submitted claims. Nearly all were happy with their providers' responses to the claims. The survey revealed 62 percent of respondents had found that the process of evaluating cyber-insurance policies improved the company's cyber-security preparedness and readiness. The study found most policies provided benefits for forensics and investigative costs (64 percent), notification costs to data breach victims (86 percent) and legal defense costs (73 percent).
"The evolution of how to prepare for and manage security exploits will continue to advance," the report concluded. "The study indicates more and more interest and adoption of cyber-insurance policies as a means to mitigate the impact of an exploit."