Out-Law News 2 min. read
12 Feb 2015, 4:37 pm
The Corporate Executive Programme (CEP) said research it conducted of its members found that 40% of major US companies have cyber insurance cover compared to 13% of UK businesses. CEP is an executive level forum that brings together representatives from Fortune 500 companies to share knowledge on security risk.
CEP said, however, that its research found that businesses generating revenues of more than £1 billion each year are more likely to self-insure themselves against cyber risk than take out dedicated cyber insurance cover.
New data breach and cyber incident notification requirements set to be introduced under new EU legislation could prompt more UK and other European companies to buy cyber insurance products in future, it said.
"This apparent trend for lower levels of dedicated cyber insurance in the European region may change with the pending EU data breach notification rules for data controllers under the draft General Data Protection Regulation and the proposed cyber breach notification rules for critical infrastructure providers under the draft Network and Information Security Directive," CEP said. "These changes could become a catalyst for an upsurge in cyber cover in Europe."
CEP interviewed senior business officials at 30 UK and 10 US businesses that operate in the financial services, manufacturing, retail and IT services industries. More than half the respondents' companies generate annual revenues totalling more than £1 billion and only 3% of have an annual turnover of less than £1m. Most of the respondents were chief information security officers, with other respondents including heads of governance and risk, chief information officers and chief privacy officers.
According to the research, a quarter of the respondents' companies "set aside their own money to deal with any unexpected potential losses, incidents or contemplated risks", while 23% said their businesses' general business insurance cover addresses cyber risk. A fifth of the businesses have no cyber insurance cover at all, CEP said.
The CEP report said that 25% of the interviewees it questioned said their business had "suffered a business impacting cyber incident within the last year". Fewer than a third (30%) of those companies had dedicated cyber insurance cover and in each of the cases that cover was in place the cover had been bought prior to the cyber incident occurring, it said.
CEP said that half of the companies that bought a cyber insurance policy said that they checked to see whether their suppliers also had such cover, whereas 70% of those without cyber cover said they reviewed whether or not the third parties they engaged with had cyber cover.
In-house lawyers at half of the businesses that have cyber insurance cover made the purchasing decision. The heads of risk or executive level people within the other organisations that bought such cover made the decision to buy the protection, with heads of information security uninvolved in any of those purchasing decisions, according to the report.
Stephen Catlin, head of the largest Lloyds of London insurer Catlin Group, recently said that cyber security was the biggest risk he had seen in his career, that insurance companies cannot properly take it on, and that governments have a role in managing the threat.
In December last year, the Financial Policy Committee (FPC) at the Bank of England (the Bank) warned that cyber security is not just a technical issue that directors on the boards of UK banks can ignore. The UK government earlier last year said providers of cyber insurance policies can help businesses to improve the way they address cyber risks and respond to security breaches.