Cyber-related business interruption now a top concern of risk managers - Information Security & Cyber Risk Management Report
Zurich Insurance has released the ninth annual Advisen cyber survey of corporate risk managers and insurance buyers revealing current views about information security and cyber risk management. A key finding of the 2019 survey is that business interruptions due to cyber events are a top concern. That concern is driving a desire for increased cyber business interruption availability and limits.
- 82 percent of respondents stated that cyber risk has become a significant concern across their entire organizations.
- 95 percent of respondents said that they expect business interruption to be covered under their cyber policies in the event of a claim.
- 75 percent reported that they expect contingent business interruption to be covered, reflecting awareness that third-party cyber breaches affecting vendors can impact supply chains and vital services.
- 74 percent of insurance buyers who changed their cyber coverages in the last year did so to purchase higher limits than those provided by their prior policies.
"The cyber insurance marketplace is expanding and maturing to meet the increasing demands of corporations concerned about the ever-evolving cyber risks," said Paul Horgan, head of U.S. Commercial Insurance. "Businesses are not only buying more coverage, they are asking for innovative and robust solutions that address menacing new threats."
The survey details how customer needs and expectations are changing. In their infancy, Cyber-related claims typically involved costs incurred for reconstruction of data following a breach, user notifications, mitigation services for affected individuals, and regulatory fines and penalties. While those risks remain, the intensifying threats posed by ransomware and related schemes are focusing risk managers on the potential business interruption dimensions of literally losing control of their networks.
"In the past, the most attractive targets were organizations with large databases of personally identifiable information that could be stolen and monetized on the Dark Web," said Michelle Chia, head of Professional Liability and Cyber for Zurich North America. "While that risk is still with us, criminals are expanding their target lists to include organizations that historically have not had large stores of salable data. The goal is to immediately cash in by taking control of a network until a ransom is paid. Cyber attacks are bad enough for private businesses, but they can be particularly damaging for municipalities, universities and others dependent on legacy systems that may be less well defended or are infrequently updated."
The 2019 Advisen cyber survey found that corporate insurance buyers' increased awareness of the business interruption potential of cyber attacks is driven in part by the increasing frequency of headlines about ransomware attacks over the past 12 to 18 months. Choosing from a list of 11 possible outcomes of cyber risk events, 95 percent named data breach as the number one risk, followed closely by cyber-related business interruption at 94.5 percent and cyber extortion/ransom at 89 percent. One respondent commented: "This is what I would want MY cyber policy to cover."
Another risk addressed by survey respondents concerned the potential impacts of regulatory fines and penalties. In the wake of the European Union's General Data Protection Regulation (GDPR) fines levied against two multinational corporations, insurance buyers want to know how their coverages will respond in the event they are ruled out of compliance with the GDPR and similar laws. A significant number of risk managers – 71 percent – report that they expect their cyber insurance coverages to cover regulatory fines and penalties, while 35 percent stated that they purchased cyber coverage expressly for that purpose, up from 26 percent in the 2018 Advisen survey.
Zurich will discuss the key findings, analysis and conclusions later this month at the Advisen Cyber Risk Insights Conference in New York City. The survey represents a sustained commitment by Zurich and Advisen to stay current with evolving cyber risks and the impacts they have on businesses across the United States.
The results reflect 350 respondents representing risks managers, insurance buyers and other risk professionals covering both large and small companies around the world. Finance, banking and insurance industries are the most highly represented. Businesses of all sizes but slightly weighted toward smaller and middle market companies having revenues (or budgets for nonprofit or government entities) of $1 billion or less.
Interested parties can link to the complete survey results at Information Security and Cyber Risk Management: The ninth annual survey on the current state of and trends in information security and cyber risk management.