Dive Brief:
-
Eight out of 10 companies have suffered a cyberattack that wasn’t fully covered under their cyber insurance policy, according to an analysis by Israeli cyber risk quantification firm CYE.
-
On average, each insurance gap left more than three-quarters of a breach uncovered, CYE said in a report released Wednesday. The research, which analyzed 101 breaches across various sectors, revealed an average of $27.3 million in uncovered losses per incident.
-
"This study underscores how many companies rely on cyber insurance to cover the losses incurred as a result of cyber incidents and are then taken by surprise when they find that their insurance only covers a small portion,” Nimrod Partush, vice president of data science at CYE, said in a press release.
Dive Insight:
Direct written premiums for cyber insurance worldwide could rise to $23 billion by 2025, with U.S. businesses paying about 56% of the total, according to a February report from the Insurance Information Institute, an industry association.
U.S. businesses — the primary purchasers of standalone cyber insurance policies — are facing broader exposure to data breaches and cyberattacks through their reliance on Internet of Things (IoT) technologies, the expansion of remote work, and greater use of cloud data storage, according to the Triple-I report.
Meanwhile, an August 2023 survey from cybersecurity firm Delinea found a rising list of exclusions that could make cyber insurance coverage void, including a lack of security protocols (43%), human error (38%), acts of war (33%), and not following proper compliance procedures (33%).
“Our survey results find that most organizations are not approaching cyber insurance with the same diligence — they are simply looking to get covered,” Joseph Carson, chief security scientist and advisory CISO at Delinea, said in a press release when the survey was unveiled. “What they’re not checking is whether the policy they had last year is what they need now, or if their policy changed at renewal. This ‘cyber insurance gap’ could put a lot of organizations in a tough place when a cybersecurity incident occurs, and they want to utilize this financial safety net.”
In one case study highlighted by CYE, Capital One in July 2019 reported a major security breach with an estimated cost of $138 million, including expenses related to customer notifications, credit monitoring, technology updates and legal support. Despite receiving $73 million through insurance coverage, the company faced $65 million in uncovered damages.
“This event highlights the substantial repercussions of cybersecurity breaches on companies, particularly when insurance does not fully cover the resultant financial losses,” the CYE report said.