In the current dynamic cyber risk landscape, it would be reasonable to assume that companies are shifting their risk perception from the physical to the digital and in turn adjusting the way they insure against risk. However, firms remain chronically underinsured against cyber risk.
Many companies struggle to grasp the extent of their cyber risk exposure, and this misunderstanding creates an unnecessary roadblock for every organization that could benefit from cyber risk transfer but is reluctant to purchase it.
There is a clear difference between how businesses perceive traditional risks, such as physical damage, compared to how they think of cyber risk. Tangible damage, like a fire in a warehouse, is much easier to visualize and the valuation of the affected physical asset valuation is relatively straightforward and predictable. The financial impact of a cyber-attack can be further reaching and more nuanced in terms of quantification.
Companies engaged in a structured process to value cyber risk are more likely to invest in adequate cyber insurance. These companies are also better able to evaluate the best return on cyber security investments, achieving a harmonious blend of prevention and residual risk transfer.
Some companies don’t yet purchase cyber insurance because there are fewer contractual imperatives to do so. It’s well understood that proof of insurance is a key requirement for stakeholders with a vested interest in the company, whether those are lenders, investors, partners or customers. In the US, it is now very common to see that insurance requirements do include cyber insurance, but this prudent measure has been slow at traversing the globe.
Cyber insurance does come with a cost, and companies frequently budget for insurance on an annual cycle measured in small aggregate increases and decreases, rather than major risk-based reallocation of capital. Firms may also feel that they can somehow spend their way out of the risk altogether through relentless investment in more cyber security tools.
Businesses purchase insurance solutions for risks they understand and where they perceive insurance is an effective method of treatment. Cyber insurance is only about 20 years old, so in comparison to insurance covering physical losses, it is admittedly in its infancy.
Appropriately designed cyber insurance is a proven and effective way to transfer residual risk, after thoughtfully understanding the risk and implementing appropriate controls.
Companies that fail to appreciate that spending indiscriminately will not always reduce their risk will unfortunately spend money needlessly. Those that clearly understand and articulate the risk in financial terms will have the keys to mindful budget allocation.