Cyber risk insurance still less than tangible assets

January 15th, 2018, Published in Articles: EE Publishers, Articles: EngineerIT, Articles: PositionIT, Featured: PositionIT

The 2017 EMEA Cyber Risk Transfer Comparison Report, recently released by Aon in collaboration with the Ponemon Institute, found that organisations recognise the growing value of technology and data assets relative to historical tangible assets, though they are spending four times more on insurance for property, plant and equipment (PP&E) risks.

The report is based on a survey of over 500 individuals in Europe, the Middle East and Africa involved in their company’s cyber risk management as well as enterprise risk management activities. 35% of respondents are in finance, treasury and accounting and 25% in risk management. Corporate compliance/audit accounted for 17% of respondents and general management 9% of respondents.

The report found that while 38% of businesses surveyed confirmed they have experienced a cyber loss in the past 24 months, only 15% of their probable maximum loss (PML) is covered by insurance. This is in stark contrast to the policy limits purchased against physical assets like property, plant and equipment, where around 60% of their PML is typically covered. The report also shows that the impact of business disruption to information assets is 50% greater than to PP&E.

On average, the total value of PP&E, including all fixed assets plus SCADA and industrial control systems is approximately $932-million for the companies represented in this research. The report calculates an average total value of information assets, which includes customer records, employee records, financial reports, analytical data, source code, models, methods and other intellectual property, of $1092-million.

This study compared the relative insurance protection of certain tangible versus intangible assets, and found that most organisations spend much more on fire insurance premiums than on cyber insurance, despite stating in their publicly disclosed documents that a majority of the organisation’s value is attributed to intangible assets.

The report also found that only 30% of businesses are fully aware of the legal and economic consequences of European Union General Data Protection Regulation (GDPR). The regulations will come into effect on 25 May 2018, and introduces a 72-hour notification for all personal data breaches – except those unlikely to pose a risk to individuals. Fines for non-compliance with the GDPR will increase to as much as €20-million or 4% of an organisation’s global turnover (whichever is highest). Insurance carriers are starting to see an increase in demand for cyber coverage as cyber exposure awareness becomes an enterprise-wide issue.

With 65% of EMEA organisations expecting their cyber risk exposure to increase over the next two years, cyber risk needs to be approached at an enterprise-wide level in order to achieve cyber resilience. This should include enterprise-wide education, assessment and quantification, preventive risk management, incident response plan, as well as cyber insurance.

Contact Kerry Curtin, Aon South Africa, Tel 011 944-7838, kerry.curtin@aon.co.za