About half of U.S. businesses say they don’t have cyber risk insurance, compared to fewer than a third in the U.K. and Canada, and the health care sector is lagging the worst, according to a recent survey.
The data, released by credit-scoring and data analytics giant FICO and market researchers Ovum, comes from a telephone survey of IT and security executives from a broad range of companies in the financial services, media, e-commerce and retail, telecommunications and health care sectors in North America and northwestern Europe. The 350 companies ranged in size from fewer than 1,000 employees (30 percent) to over 10,000 (25 percent) with nearly half of them (45 percent) somewhere in between.
Half of U.S. businesses report having cyber insurance, although only about a third of those (16 percent of the whole sample) are confident that it covers all their risks. Just under a quarter more (23 percent) reported plans to buy insurance in the coming year. The U.S. lags the U.K., where 69 percent report having at least some cyber insurance and 28 percent say it covers all risks, and it also trails Canada and Sweden, where 64 and 56 percent respectively report having insurance.
Lagging even more — health care. None of the U.S. health care firms questioned in the survey said they had insurance that covers all their risk, while 74 percent reported no cybersecurity insurance at all.
In a statement, a FICO executive highlighted the deepening concern among respondents about the growing risk of data theft, contrasting it with the widespread abstention from the insurance market.
“With so many firms concerned about a rise in the likelihood of cyber breaches in the next year, it’s troubling to see that half of them don’t have any cybersecurity insurance protection,” said Bob Shiflet, who oversees fraud and financial crime solutions at FICO.
In other ways, executives seemed more prepared. In every country and every sector, there was optimism about security budgets growing or at least staying the same over the coming year. Overall, nearly half (48 percent), said their security budgets would be increased while just a few percentage points more, 52 percent, believed it would be maintained at the same level. The highest level of optimism about budget increases (56 percent) were reported by financial services organizations and the lowest (37 percent) was in the health care sector.
The survey data also suggests that the low level of insurance take-up may in part be due to concerns about how effectively priced the market is — in other words, executives might be worried that they can’t be sure what they’re buying when they pay their cyber insurance premiums.
Nearly one in four (23 percent) said they didn’t believe their premiums accurately reflected their risk profile, not many fewer than the 25 percent who believed the premiums were reflective of their actual risk. Nearly one-third (27 percent) said that insurers should provide clear guidelines about how premiums are chosen, 24 percent would like more transparency as to why premium adjustments happen and 26 percent would like insurers to introduce an industry standard for benchmarking cybersecurity risk.
“There are steps the insurance industry can take to make guidelines clearer and explain premium adjustments, but companies need to be willing to dedicate the resources required to protect themselves from the breaches they themselves see as likely, if not inevitable,” said Shiflet.