Most senior finance executives at large companies believe that cyber insurance would cover most or all of the losses their company would incur in a cyberattack, a new study says. But they are wrong, according to commercial property insurer FM Global.
In a study of 105 CFOs and other senior financial executives at companies with revenue of at least $1 billion, commissioned by FM Global and performed by CFO Research, 45% said they expected their insurer will cover “most” related losses from a cybersecurity event, and 26% said they expected the carrier to cover “all” related losses.
But most of the effects these financial executives expect to experience in a substantial cybersecurity event aren’t typically covered by insurance policies, says FM Global, which sells cyber insurance. These effects include:
The survey participants were given one other choice: “New costs to mitigate the loss,” cited by 53% of them. Indeed, many new costs — including expenses related to restoring data or equipment — are covered by first-party cyber insurance or property insurance, according to FM Global.
Litigation and customer notification costs would be covered by third-party insurance. But the rest of the listed costs in the study would likely have to be absorbed by the victimized company, FM Global says. Moreover, more than half of the survey participants said financial recovery from a substantial cybersecurity event would take months or years.
“As essential as cyber insurance is, the findings indicate financial executives may be deriving a false sense of security from it,” says Kevin Ingram, the insurer’s CFO. “That’s why we’re committed to helping our clients prevent loss in the first place.”
The company provides a cyber-risk assessment tool that identifies addressable vulnerabilities in physical security, information security, industrial controls, and building automation systems.
*Although insurance would be expected to cover lost revenue during the span of a disruption, lost revenue related to lost growth, market share, brand equity, etc., after the resumption of operations would not normally be covered.