Cyber insurance gaps stick firms with millions in uncovered losses

Summary: The majority of companies have experienced cyberattacks that were not fully covered by their cyber insurance policies, leaving significant gaps in coverage and resulting in uncovered losses.

Threat Actor: N/A

Victim: Companies

Key Point :

  • 4 out of 5 companies have suffered a cyberattack that was not fully covered by their cyber insurance policy, leaving significant gaps in coverage.
  • On average, each insurance gap left more than three-quarters of a breach uncovered, resulting in an average of $27.3 million in uncovered losses per incident.
  • Many companies rely on cyber insurance to cover losses from cyber incidents but are surprised to find that their insurance only covers a small portion.
  • The rising list of exclusions in cyber insurance policies, such as lack of security protocols and human error, can make coverage void.
  • U.S. businesses are facing broader exposure to data breaches and cyberattacks due to IoT reliance, remote work expansion, and increased use of cloud data storage.
  • Companies should approach cyber insurance with diligence and regularly review their policies to ensure they have adequate coverage.
  • One case study highlighted the Capital One breach, where the company faced $65 million in uncovered damages despite receiving $73 million through insurance coverage.

Dive Brief:

  • The majority of companies, 4 in 5, have suffered a cyberattack that wasn’t fully covered under their cyber insurance policy, according to an analysis by cyber risk quantification firm CYE.

  • On average, each insurance gap left more than three-quarters of a breach uncovered, CYE said in a report released Wednesday. The research, which analyzed 101 breaches across various sectors, revealed an average of $27.3 million in uncovered losses per incident.

  • “This study underscores how many companies rely on cyber insurance to cover the losses incurred as a result of cyber incidents and are then taken by surprise when they find that their insurance only covers a small portion,” Nimrod Partush, vice president of data science at CYE, said in a press release

Dive Insight:

Direct written premiums for cyber insurance worldwide could rise to $23 billion by 2025, with U.S. businesses paying about 56% of the total, according to a February report from the Insurance Information Institute, an industry association.

U.S. businesses — the primary purchasers of standalone cyber insurance policies — are facing broader exposure to data breaches and cyberattacks through their reliance on IoT, the expansion of remote work, and greater use of cloud data storage, according to the Triple-I report.

A rising list of exclusions could make cyber insurance coverage void, an August 2023 survey from cybersecurity firm Delinea. Those exclusions include a lack of security protocols, human error, acts of war and not following proper compliance procedures. 

“Our survey results find that most organizations are not approaching cyber insurance with the same diligence — they are simply looking to get covered,” Joseph Carson, chief security scientist and advisory CISO at Delinea, said in a press release when the survey was unveiled. “What they’re not checking is whether the policy they had last year is what they need now, or if their policy changed at renewal. This ‘cyber insurance gap’ could put a lot of organizations in a tough place when a cybersecurity incident occurs, and they want to utilize this financial safety net.”

In one case study CYE highlighted, Capital One in July 2019 reported a major security breach with an estimated cost of $138 million, including expenses related to customer notifications, credit monitoring, technology updates and legal support. Despite receiving $73 million through insurance coverage, the company faced $65 million in uncovered damages.

“This event highlights the substantial repercussions of cybersecurity breaches on companies, particularly when insurance does not fully cover the resultant financial losses,” the CYE report said.

Source: https://www.cybersecuritydive.com/news/cyber-insurance-gaps-cyberattack/713786/


“An interesting youtube video that may be related to the article above”