In 2017, businesses experienced significant financial impact caused by cyber-attacks. According to NetDiligence, whose data is based on actual cyber insurance claims, the average cost of a cyber breach was $349,000 for small companies, reaching an average cost $5.9m for big organizations.
As boards and executives witness the financial impact of cyber-attacks, businesses are turning to cyber insurance massively. In 2016, Aon placed around 35% cyber premiums globally for about $450m, and they expect to grow to over $750m by 2020. Insurance company Allianz predicts that global cyber insurance premiums will grow to $20bn by 2025, up from around $3-4bn now.
It is clear that the cyber insurance market is booming. But are organizations ready to tackle this new and unpredictable risk? The 2017 Ponemon Institute survey found that, although 87% of companies view cyber liability as one of their top ten business risks, only 24% admit to having cyber insurance of risk management professionals. Companies cited inadequate coverage among the top reasons for not purchasing cybersecurity insurance.
In 2016, aon placed around 35% cyber premiums globally for about $450m, and they expect to grow to over $750m by 2020.
Cyber-risk isn’t like car or house insurance where the risks are known and the products haven’t changed that much. It is much more complex and potentially more dangerous than traditional risk, and this is forcing insurance companies and their clients to find a reliable approach to cyber insurance.
“Cyber-risk needs to be addressed both on the prevention and the protection side in order to transfer it to the insurance market. In fact, insurance carriers can’t accept to underwrite risks which are not properly assessed. That’s why it is fundamental to set up approaches which can help in adopting a risk-based security insurance coverage,” said Romina Calciago, Aon Global Risk consulting head.
Liability and accountability
In order to get cyber insurance coverage, organizations will have to demonstrate that they have followed best practices to protect consumers and employees. Especially with the European Union for the General Data Protection Regulation (GDPR) becoming actionable in May, where violations might subject the offender to penalties starting at 20m Euros.
Companies will also need to shift their approach to cyber-risk management, with a focus on accountability, to identify their threats and insurance needs. “The cyber-risk has finally moved from an IT to a business problem. This translates into the need for the top management of our clients to have a proper view on a clear, multi-faceted, and quantitative assessment of their cyber-risk exposure”, said Gabriele Ratti, deputy general manager of Aon Hewitt Srl.
To properly mitigate cyber-risk, companies need to carry out a deep technical diagnostic linked to realistic business impact. Cyber diagnostic tools such as Starlings Soar allow a detailed and fact-based quantification of the exposure to cyber-risk of a company’s business and technical infrastructure, hence visualizing very tangible cases and concrete actions for the top management to optimize their risk profile