Welcome to the brave new world of cybersecurity. A September survey by the Risk and Insurance Management Society found that 80% of the companies bought a stand-alone cybersecurity policy in 2016. The takeaway: Policies covering exclusively cyber exposures are now the norm for many large companies.
The annual RIMS cyber survey polled 272 respondents on issues ranging from exposure concerns, first-party and third-party risk, and government regulations.
Almost 70% of companies now transfer risk of cyber exposure to a third party. Twenty-four percent of the risk managers surveyed say their companies will each spend more than $1 million on cybersecurity protections, including active monitoring and employee education, by year-end.
“Failure to keep pace with technological advancements will leave an organization at a terrible disadvantage,” said Julie Pemberton, director of enterprise risk and insurance management for Outerwall Inc. and president of RIMS. “Embracing technology has enabled organizations to strengthen their performance but at the same time has created many new exposures that risk management must address.”
Respondents are most worried about reputational harm (82%), notification costs (76%), and business interruptions caused by both network outages (76%) and data loss (75%) from cyber breaches. Cyber extortions (63%) and the theft of trade secrets or intellectual property (42%) are also concerns.
The purchase of stand-alone cybersecurity policies increased 29% from the previous year. That’s thanks, in part, to more versatile insurance packages, said Emily Cummins, a member of the RIMS board of directors.
“The take-up rate increases as more people are educated in the space,” Cummins said, who is also the managing director of tax and risk management for the National Rifle Association. “As insurance suites become increasingly available, more and more companies want to procure a plan that can fit their own unique needs.”
Companies with large supply chains may be pressuring vendors to invest in more robust cybersecurity programs, driving at least part of the growth in the sector. Twenty-five percent of respondents say their companies bought stand-alone insurance because of contractual obligations with other companies, a 17% increase from 2015.
Twenty-three percent are paying more than $500,000 for their policies, while 24% spend less than $50,000 on premiums.
“The strength of an insurance marketplace is determined by how effectively insurers can respond to the needs of the buyers,” Cummins said. “The evolution of products that are specific to individual companies has been really impressive.”
Risk managers are divided about whether or not the government should mandate the reporting of cyber breaches. Forty-eight percent of the respondents think the government should mandate reporting, while the rest are unsure or opposed. RIMS is currently deliberating its position on the issue.
The annual RIMS survey was distributed to the organization’s membership in August and early September. The majority of respondents work for companies with more than 1,000 employees and an estimated annual revenue of more than $1 billion.