• Register
Return to: Home > Comments > Comment: When it comes to cyber, “underinsured” means “underprepared”

Comment: When it comes to cyber, “underinsured” means “underprepared”

The cyber insurance industry is growing. In fact, it is the one of the fastest growing segments of the corporate insurance industry. It is estimated that the cyber insurance market is worth about $2bn in premium worldwide and, based on current predictions, it could reach more than $20bn in the next decade.

We are currently in the third development phase of cyber insurance. According to Allianz, it was Y2K that first provoked companies to look at their cyber exposures and later, the rise of regulation and legislation around data privacy continued to drive it forward into phase two. Now, in the third phase, we are seeing increased awareness around cyber risk, which is encouraging companies to take a close look at how they are protected.

Throughout the evolution of cyber insurance one thing has become clear; defence barriers can never be fully impenetrable and therefore, you are never fully protected. This is what makes insurance the back bone of cyber protection. Organisations of all sizes need to invest in security procedures and tools to make the business as resilient as possible. Preventing a breach is nigh on impossible so it is crucial that organisations have tools in place to detect a breach and have procedures for how to tackle and mitigate it. Organisations should consider all of the data held and produced by the business, and how to protect it.

Most insurance companies today operate in the cyber arena and large corporates, especially in highly targeted industries like retail, finance and healthcare, are protecting themselves. However, there is a disconnect in the middle market. According to the US National Centre for the Middle Market, the majority of middle market companies consider cyber security important for their business, but over half either lack a defined strategy around cyber or have an outdated policy in place, and only 22% hold a cyber insurance policy.

Underinsurance is a serious issue for the middle market as there is a perceived lack of exposure. On the contrary, research from Advisen found that in 2016, large organisations accounted for less than 20% of cyber losses. In many cases, middle market companies are in denial about their vulnerability to cyber-attacks and need to be insured against the risk just as much as their large competitors. Cyber criminals will often cast a wide net and take what they can get most easily. This can have devastating consequences on middle market firms who potentially don’t have the breadth of resource to simply bounce back.

The problem for most businesses is that the knowledge about available cyber policies is very low, especially in the middle market. People do not trust insurers to give them what they need. There is still a level of scepticism towards cyber insurers and therefore the C-suite are still cautious about putting budget towards it. Coupled with this, there is a misconception among middle market firms that existing insurance policies will protect against a cyber-attack or data breach and a lot of organisations will only become aware of a policy’s limitations once a breach has occurred.

A change in the corporate mind set is crucial to drive change and fully protect middle market businesses, but seemingly, there is work to be done. Only 17% of executives surveyed by IBM considered themselves “cyber secured”. Not only are the C-suite the ones making decisions around cyber insurance investment, they are also the ones that need to consider the repercussions of cyber-attacks. Reputational damage and financial risks are second and third respectively on the C-suite’s view of the technology risks that will be most significant over the next 3-5 years. Investing in the right cyber policies means they can invest their time where it is most needed including developing contingency plans, considering the impact on bottom line and crafting crisis communications plans to manage the organisation’s reputation following a cyber breach.

However, the onus should be on insurers as well as business executives. Insurance will be a catalyst to speed up holistic cyber security. Beyond selling products, insurance companies need to make sure “the house is in order” and ensure the organisations they are covering have good processes in place. We know now that increased awareness is driving the adoption of cyber insurance and it is the responsibility of insurers to gain the trust of the C-suite to move the industry forward. Insurance companies need to make organisations more aware of the different types of cover they offer. Collaboration is the key to combating cyber and this is the first step.

By Michael Shatter, Director of Risk Assurance Services, RSM Australia

Top Content

    South Africa: sensing new opportunities

    It has been an interesting couple of years for the profession in South Africa. A number of high-profile scandals have brought the profession and the role of auditors into sharp public focus, brewing a distrust towards accountants and a large expectations gap. Joe Pickard reports.

    read more

    Ghana: a quest for consistency

    Ghana’s current economic profile would suggest a fertile landscape for purveyors of accounting services. But inconsistent approaches to compliance and application of standards – coupled with problems in the banking sector and consequent liquidity constraints – have created a challenging environment. Paul Golden writes.

    read more

    Drone technology: audit takes to the skies

    The movement towards a digitised era has already impacted the auditing profession in a number of ways, from blockchain to artificial intelligence. Now firms are taking to sky and using drone technology in their audits. Mishelle Thurai speaks to Big Four firms to find out more.

    read more

    SBC: a new alliance joins the market

    Jonathan Minter speaks to Paul Tutin, chair of founding firm Streets Chartered Accountants, about why the business and its European partners took the decision to launch their own association.

    read more
Privacy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.