Nearly three in four corporate risk managers are not buying insurance policies to cover data breaches and damage to customers’ privacy despite the rising threat of hacking, according to a survey released on Monday.
Not only are most North American companies shunning coverage entirely, many of those who are taking out “cyberinsurance” are buying policies with only limited protection in case of an attack, consultants Towers Watson said in their annual review of corporate risk.
In the wake of high-profile attacks on companies like Sony and Citigroup, insurance brokers reported last summer that interest was soaring in policies to protect against civil suits and regulatory fines from data breaches.
That, in turn, led a number of insurers to start offering policies, which had an immediate downward effect on rates. Insurance brokers Marsh recently said that pressure has continued, as capacity exceeds demand.
But the Towers Watson survey indicates that interest is not converting into actual business — 72 percent of the 153 risk managers surveyed said they were not buying a policy at all.
“That was probably one of the more shocking findings we saw … that was virtually unchanged from what our survey found last year,” said Corey Gooch, a senior consultant at Towers Watson, in an interview.
Of those not taking coverage, two-thirds said it was because their internal controls were adequate or because they did not have a significant data exposure. Fewer than half said they conducted regular “penetration tests” to assess the adequacy of their network.
“I would have thought that would have been much higher,” Gooch said. “I’m not sure if that was sort of a disconnect or a historical issue.”
Even among those who did purchase a policy, more than four in ten said it had a limit of between $1 million and $5 million.
Last August, in its annual study on the cost of cybercrimes, the Ponemon Institute found the median cost of such crimes to an organization was $5.9 million. (The same study found attacks had risen 44 percent from a year earlier).
Generally, cyberinsurance covers suits filed by customers whose accounts have been hacked; direct costs such as notification letters sent to a ffected customers; and, increasingly, fines and penalties associated with data breaches.
As with any kind of insurance, it also carries all sorts of exclusions that put the onus on the policy holder. Some exclude coverage for any incident that involves an unencrypted laptop. In other cases, insurers say, coverage can be voided if regular software updates are not downloaded, or if employees do not change their passwords periodically.
The Towers Watson survey was conducted in February and March, covering companies across industries. The majority of them have annual revenue in excess of $1 billion.