While the majority of global organizations say that it is ‘vital’ their organisation is insured against information security breaches, less than half (41 percent) are fully covered for both security breaches and data loss and just over a third have dedicated cybersecurity insurance. This is according to the 2016 Risk:Value report looking at attitudes to cybersecurity and risk from NTT Com Security.
Research among 1,000 non-IT business decision makers in organizations in the UK, US, Germany, France, Sweden, Norway and Switzerland reveals that one in ten (12 percent) have no insurance cover at all for either eventuality. This is despite most business decision makers admitting that there is an increased cyber security threat.
While cyber liability insurance has become increasingly popular and can include cover for data/privacy breaches, extortion liability and network security liability, only 35 percent of businesses currently see the need to take a policy out, although a further 43 percent are getting one or thinking about it. Businesses in the US are most likely to have this type of insurance – 51 percent compared to just 26 percent in the UK. Notably, wholesale organizations (43 percent) are most likely to take out dedicated cyber insurance, together with business/professional services (43 percent) and utilities companies (39 percent).
Less than half (46 percent) of those respondents whose organization has company insurance that covers data loss or a breach, expect it to cover legal costs. Fewer expect it to cover regulatory fines (43 percent), government fines (41 percent) and remediation (41 percent). Covering loss of business and loss of IP (intellectual property) is even less likely, according to the report, at just 25 percent.
When it comes to the validity of insurance cover, half of respondents cite that lack of compliance with necessary security criteria could invalidate their insurance, while 46 percent feel that not complying with business policies could be a problem, and 43 percent point to the lack of an incident response plan.
The NTT Risk:Value report also reveals that only around half (52 percent) of businesses have a full information security policy, while less than half (49 percent) have a disaster recovery plan in place.
The Risk:Value 2016 Executive Summary report can be downloaded here.