Cyber insurance provides “false sense of security”

Seven in 10 senior financial executives at some of the world’s largest companies falsely believe their insurer would cover most or all of the losses their company would incur in a cyber attack. 

In a study of more than 100 chief financial officers (CFOs) and other senior financial executives, commissioned by FM Global, 45% said they expected their insurer will cover “most” related losses from a cyber security event, and 26% said they expected their carrier will cover “all” related losses.

But most of the effects these financial executives expect to experience in a substantial cyber security event aren’t typically covered by insurance policies, according to FM Global. These effects include:

• Degradation of the company’s brand/reputation (46% said this was a likely effect of a cyber security event)
• Increased scrutiny from the investment community (40%)
• Decline in revenue/earnings (38%)
• Introduction of regulatory compliance problems (35%)
• Decline in market share (24%)
• Decline in share price (24 percent)

’New costs to mitigate the loss’ was also cited by 53% of senior financial executives. Indeed, many new costs—including expenses related to restoring data or equipment—would be covered by first-party cyber insurance or property insurance, according to FM Global.

Litigation and customer notification costs would be covered by third-party insurance. But the rest of the listed costs in the study would likely have to be absorbed by the victimised company. Moreover, more than half said financial recovery from a substantial cyber security event would take months to years.

Cynch Security co-founder and seasoned risk practitioner, Susie Jones has this advice for company executives: “Combating cyber incidents needs a combination of proactive and reactive steps to be taken, and purchasing cyber insurance is just one of those steps.”

”Having an effective response plan that you have tested time and time again will not only reduce the impact and duration of an incident on your customers and bottom-line, will also reduce the size of your insurance claim, and therefore future impacts on premiums. Cyber insurance should only ever be one tool in your arsenal against cyber risks,” she adds.

Kevin Ingram, executive vice president and chief financial officer at FM Global, agrees: “As essential as cyber insurance is, the findings indicate financial executives may be deriving a false sense of security from it. While insurance is an essential part of the risk management formula, there are losses related to a cyber attack that insurance cannot cover—like damage to a company’s reputation, lost market share, missed growth opportunities, decreased valuation, and losses stemming from increased cost of capital. That’s why we’re so committed to helping our clients prevent loss in the first place.”

A recent report from The Cybersecurity Imperative, a global thought leadership program produced by independent researcher ESI ThoughtLab in conjunction with Willis Towers Watson found annual losses from cyberattacks averaged $4.7 million in the last fiscal year — with more than one in 10 firms losing over $10 million.

The study covered 467 firms across multiple industries in 17 countries revealing that companies worldwide expect to boost their cybersecurity investments by 34% in the next fiscal year, after raising them by 17% the previous year. About 12% of companies surveyed plan to bolster their cybersecurity investments by over 50%. Additionally, since last year, the percentage of companies seeing a significant impact from cybercriminal activities — such as installation of ransomware — has soared, from 57% to 71%.

Peter Foster, chairman, Willis Towers Watson Global FINEX Cyber and Cyber Risk Solutions, said, “It is clear from the findings that companies are experiencing escalating impacts this year from key adversaries, including cybercriminals, malicious insiders and state-sponsored hackers, often from jurisdictions beyond the reach of local law. Establishing a continuous assessment through an integrated risk approach to cyber is critical for mitigating this ever-growing risk.”