Most cyber insurance policyholders have a massive coverage gap
The average coverage gap was 350%, meaning more than three-quarters of the cyberattack was not covered.
Some 80% of companies that had a data breach did not have enough cyber insurance to fully cover the event, according to a study by cybersecurity platform Cyesec Ltd.
The average coverage gap was 350%, meaning more than three-quarters of the cyberattack was not covered, Cyesec reported. The cost of the uncovered losses was $27.3 million and some organization’s coverage gaps were as large as 3,000%.
These findings reveal that companies recognize cyberthreats, but are failing to account for the full magnitude of an incident. Cyber insurance policies typically cover losses related to fines, lawsuits and breach containment, but other damages such as churn, loss of intellectual property and lost productivity often go uncovered. These unrecognized losses drive companies to underestimate their cyber risks, Cyesec reported.
“Many organizations are aware of cyber risk, but do not fully comprehend what the potential cost could be if they are breached,” said Nimrod Partush, vice president of data science at Cyesec, said in a release. “This study underscores how many companies rely on cyber insurance to cover the losses incurred as a result of cyber incidents and are then taken by surprise when they find that their insurance only covers a small portion.”
According to Cyesec, “low-tech sectors” such as hospitality, food service, construction and warehousing tend to have adequate cyber coverage, while industries such as insurance, manufacturing, finance and information services tend to have coverage gaps of more than 100%. This is because organizations in the latter group have more digital assets and are more dependent on digital systems to operate.
More digitally dependent companies also face more challenges in securing adequate coverage due to the high cost of a potential breach, Cyesec reported. As a result, many of these companies focus more on risk quantification as a means to reduce uncovered cyber risks.
Related: