Only 36% of public companies purchased cyber liability insurance in 2012, and only 6% of private companies had cyber liability insurance in 2010.
Why don’t more companies purchase cyber insurance?
Chubb Insurance asked nonbuyers this question, and the #1 response—from 47% of private company respondents and 37% of public company respondents—was “low risk/no exposure.”*
FBI Director Robert Mueller might have had corporate denial in mind when he told a conference of security professionals earlier this year: “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.” (Source: CNNMoney)
Facts are well-known
A well-publicized Ponemon Institute study** reported that the typical data breach in 2011 resulted in:
- 28,349 breached records.
- Total costs of $194 per record (including notification, call centers, forensics and other direct expenses).
- $561,495 in notification costs.
- $5.5 million in total organizational costs.
Furthermore, 46 states have enacted legislation requiring companies to notify customers if their personal information may have been compromised.
Cyber risks—and awareness—are growing
Cyber exposures are growing, and awareness of those risks seems to be growing, as well, as indicated by the fact that purchase rates of cyber insurance are slowly rising. More companies are realizing that they may be vulnerable to potentially costly cyber exposures, including cyber liability and cyber crime expense.
The same maybe true for directors and officers (D&O) liability, thanks in part to the October 2011 SEC guidance that companies must consider information security when disclosing risks to investors. As attorney Kevin LeCroix, executive vice president, RT ProExec, said in his blog, The D&O Diary (September 24, 2012), “With increasing scrutiny on companies’ cybersecurity preparedness and disclosure comes the increasing possibility that companies experiencing cybersecurity incidents-and their directors and officers-may face claims from shareholders and other constituencies that they failed to implement appropriate cybersecurity measures or made misrepresentations about their cybersecurity preparedness.”
Although most companies aren’t yet buying cyber insurance, a majority of public companies are at least taking notice, according to Chubb’s survey:
- Public company decision makers cited cyber risk as their #1 concern from a list of exposures, with 63% expressing some level of concern.
- 71% of the public companies have an incident response plan (IRP) for an electronic security breach.***
- 52% of the companies are allocating more financial or human resources toward mitigating the risk of a cyber breach than they did a year ago. Only 3% are allocating fewer resources for this purpose.
- 24% of respondents said it was likely the company would experience a cyber event sometime in the next 12 months.
ACBI can help you protect your business from this debilitating threat. We have options for public and private companies, large businesses or small, professional services and non-profits. Contact us today to find out how we can help.