2015 RIMS Survey points to important trends in data security and cyber Insurance
The Risk Insurance Management Society (RIMS) recently published the results of its 2015 Cyber Survey. The survey of RIMS members provides important benchmarking information for risk managers as they continue to grapple with data security and the procurement of cyber insurance.
Notable among the survey’s findings:
• Nearly 51 percent of RIMS members purchased standalone cyber insurance.
• Of those not buying standalone cyber insurance, the majority do not have it at all.
• Nearly 75 percent that do not have cyber insurance are considering it within the next two years.
• Most companies are spending less than $100,000 a year on cyber security.
• The largest percentage of companies purchase cyber with limits between $5 million and $19 million.
• Over 90 percent of participants have breach notification as a covered aspect in cyber, with cyber extortion second.
• 58 percent of respondents transfer cyber risk to third parties.
• The top first-party cyber insurance concern is reputational harm — not data breaches.
• The top third-party concern is disclosure of personal information.
• Just over 51 percent of respondents are concerned with cyber extortion.
Planning and responsibility
• 89 percent of respondents have a plan in the event of a cyber crisis.
• Most companies place responsibility for cyber with the IT department.
These statistics are just a few of the high points from the 15-page survey, but here are three key takeaways:
• In the wake of massive data breaches experienced by companies such as Target, Anthem and Sony, most companies either have standalone cyber insurance or are considering a purchase within the next two years. Companies of all sizes must consider cyber insurance as part of the overall risk management program.
• The two largest-spending categories related to data security are “below $100,000” and “over $1 million per year.” High-target industries such as banking, health care, hospitality and retail are likely to pay a premium for protection. As the scope and sophistication of cyber attacks increase, so, too, will spending on data protection.
• Companies must carry appropriate limits on their cyber insurance. Having first-party as well as third-party coverage is critical. As the survey results show, the low end of the limits spectrum is $5 million — a policy limit that is likely too low for a vast majority of companies. Buyers should pay particular attention to the sublimits. In many respects, the overall policy limit is not as important as the respective sublimits for the more critical areas of coverage.
Here are some additional areas to consider for policyholders when placing cyber insurance.
The definitions. Since insurers use different forms for data breach and privacy insurance, the definitions used in the policy are critical to the scope of coverage. Remember, cyber attacks can take numerous forms, so your policy must be comprehensive.
Cyber policy exclusions. Cyber policies contain a litany of exclusions. Prospective buyers must pay particular attention to the exclusions. Matching up the definitions in the policy to the exclusions may reveal some importance gaps in coverage. Be sure every base is covered through a comprehensive analysis of the specimen policy.
The retroactive date. A 2013 survey by Mandiant, a FireEye Company, noted that the average number of days a hacker is in your system before discovery is 229. Breach detection is still a major issue for many businesses. To account for a potential lag in breach discovery, ensure your policy has a retroactive date of at least one year, but ideally two years is the minimum one needs.
Cyber insurers’ vendors. For insurers, one of the key selling points of cyber coverage is the network of resources made available to close a breach. From forensic information technology vendors to credit monitoring and PR experts, your insurer can make one call to marshal these resources for your benefit. But, how well do you know these vendors? Will they do more harm than good? Policyholders should vet the insurer’ panel of vendors; if they are not best in class, negotiate.
Time spent upfront on an in-depth analysis of cyber policies may prevent a coverage fight with the insurer should a breach occur. Working closely with your broker and coverage counsel can help companies avoid unwanted litigation and eliminate gaps in coverage from the outset.
Collin Hite is the practice leader of the Insurance Recovery team in Hirschler Fleischer's Richmond office. Contact him at (804) 771-9595 or [email protected]