Taking Cybersecurity Seriously

Hilary Tuttle


October 1, 2013


In the first half of 2013, reported cyberbreaches rose by 27% from the first half of 2012. Yet, according to a new study from the Ponemon Institute, only 31% of companies currently hold cyberinsurance policies and 30% said they do not plan to purchase coverage.

This disconnect could prove costly. More than half of respondents in the August 2013 Ponemon Institute study “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age” had experienced a data breach and reported that the average cost of these incidents was $9.4 million. Those surveyed were also asked how much their companies could suffer from cybercrime. Their estimate was an average maximum financial exposure of $163 million per company, with some projecting more than $500 million in damages.

But don’t let the numbers fool you: while big companies can suffer massive financial loss, small businesses face some of the greatest dangers. According to a March 2013 report from the House Small Business Subcommittee on Health and Technology, almost 20% of all cyberattacks target companies with 250 employees or fewer. The costs of cyberbreaches can be far more damaging for companies this size—nearly 60% of small businesses close within six months after a cyberattack.

Small and large businesses alike are beginning to comprehend the stakes involved. Michael Bruemmer, vice president of study co-author Experian Data Breach Resolution, said the Ponemon findings show a clear increase in risk managers’ awareness of cyberthreats. Indeed, three quarters of survey respondents said that protecting against a cybersecurity exploit is “more important or as important as safeguarding against a natural disaster, business interruption or fire.”

Brokers have noted a decisive rise in cyberrisk awareness, too. Marsh U.S. has seen a 33% increase in clients purchasing cyberinsurance and the levels of coverage purchased have increased by 20%, according to a report the broker released in March.

In the Lloyd’s of London 2013 Risk Index, businesses ranked cyberrisk their third-highest priority for the year, up from twentieth in 2009. “For cyber to be as high as #3 is proof that the risk is there and the stories that you’re reading on the front pages and blogs regarding cyberattacks are real,” said John Coletti, XL Group’s underwriting manager for cyberliability. “As more businesses migrate their businesses to a cloud-based platform and the reliance on data grows greater than ever before, it’s no surprise that companies are worried about cyberrisk.”

With a constant stream of breaches in the news and ever-growing list of sources of risk, cybersecurity is rising up the priority list for corporate risk managers. While only about one-third of companies surveyed currently have cyberinsurance, 39% of Ponemon’s respondents said their organization plans to purchase a policy. More than half who already have policies reported that cyberinsurance is an essential component of their company’s risk management program.

The benefits of cyberinsurance reach beyond the actual policy—62% of Ponemon respondents felt that just the process of evaluating cyberinsurance policies improved their company’s cybersecurity preparedness and readiness. “I don’t think a lot of risk managers understand what can happen with a data breach and what the regulatory requirements are,” Coletti said. “What is the actual threat of cyberexposure for your company? You need to know, in detail, to build a plan.”

To best build that plan, Coletti advised that cyberrisk be evaluated from the perspective of subject area experts across every division of a company, gathering information from chief technology, information and security officers to fully analyze what data is out there and what exposures are possible.

From there, brokers and insurers still have a lot of work to do on the education front. “Until risk managers can understand what the exposure is, it’s hard to explain to someone in your finance department why you need to spend the money,” he said. “Ultimately, I think there’s still a culture out there of thinking that it just isn’t going to happen to them.”

Businesses may soon see further incentive to guard against cyberthreats. In an Aug. 6 White House blog post, Special Assistant to the President and Cybersecurity Coordinator Michael Daniel outlined the Obama Administration’s efforts to create a Cybersecurity Framework, “a set of core practices to develop capabilities to manage cybersecurity risk.” A draft framework is anticipated in October and, once finalized in February, Daniel said the administration plans to create a voluntary program to encourage businesses to adopt measures suggested in the framework. This program could potentially include offering rate recovery for price-regulated industries, funding research and development for new commercial cyberrisk solutions, and using adoption of the framework as a condition or weighted criteria for federal critical infrastructure grants.

Additionally, Daniel reported that the Commerce Department’s National Institute of Standards and Technology is attempting to engage the insurance industry as part of developing security standards and procedures. “The goal of this collaboration would be to build underwriting practices that promote the adoption of cyberrisk-reducing measures and risk-based pricing and foster a competitive cyberinsurance market,” Daniels wrote.

Underwriters, however, have said that buying some insurance and adopting a few risk-reducing measures is not enough. “Your risk management for cyberattacks is continuing,” said Coletti. “It is essential to maintain a dynamic type of risk management program and constantly be updating it. Risk managers have to be willing to work with all the interested groups within the organization and understand that it’s an ongoing progress—the bad guys are continually getting better, too.”

Hilary Tuttle is managing editor of Risk Management.