A cyberattack carries the potential to break most companies. More so than ever, cyber risk insurance has become an important protection. But until recently, there wasn’t much state-level data available about how many businesses have been adopting cyber risk insurance and what kinds of protections that coverage can offer. Fortunately, results of a new survey published by Indiana University contain several valuable insights for Hoosier business owners.
Cyber Insurance in Indiana
The "State of Hoosier Cybersecurity 2020" report was prepared state policy advisers on the Indiana Executive Council on Cybersecurity late last year. It was developed from survey results conducted by the Indiana University Kelley School of Business, the Indiana Business Research Center, and the University of Arizona.
Researchers compared responses from roughly 200 public and private organizations from throughout the state that represented a fairly good cross section of company sizes. About 45 percent of the responders were from companies with less than 10 employees, 20 percent were from companies with over 250 employees, and the remainder fell between.
What Percent of Companies Have It?
According to the report, about half of respondents indicated that their organization had cyber risk insurance. More than a quarter of responder said their organization did not. The remaining responders were unsure or declined to answer.
How Long Have They Had It?
The majority of the companies that have cyber risk insurance purchased their policies within the last five years. In fact, nearly a quarter of responders got their coverage in 2018 and 2019, indicating a clear upward trend in the number of companies that are choosing to add coverage.
It’s worth noting that 2020 was a bit of an outlier year for this data with only a single company saying it had added cyber coverage in that period. Although that’s a steep drop, it’s likely attributable to the economic challenges that prevailed for many companies throughout last year.
Why Did Companies Purchase Coverage?
The reasons that companies cited as their decision to purchase cyber risk insurance fell into a few different categories. Thankfully, less than 10 percent of those with a policy said they chose to get one as a response to an incident at their own organization. Most of the companies got covered because of coverage they had seen on the news regarding cyberattack incidents.
Another large chunk, about 40 percent, responded they chose coverage for “other” reasons, including such things as insurance agent recommendations, inclusion of cyber coverage in a general policy, response to cybersecurity trainings, or out of a perception that obtaining this insurance made sense for their business.
What Do These Policies Contain?
Cyber risk insurance needs to cover a variety of subjects because a data breach can affect many more parties beyond the original victim of an attack. Therefore, many policies contain both first-party and third-party coverage.
The most common first-party losses that are covered are things like:
When it came to what policies covered regarding third-party losses, the responders were a little less certain. More than half said they weren’t sure. The other responders said their policies covered such third-party losses as costs for legal defenses relating to a breach, claims for damages from those whose data was exposed, claims for damages due to economic loss, and other fines or penalties. About 60 percent of responders said their policies included a limit on coverage.
Additionally, about half of the companies that have a policy said their insurer requires them to have certain cyber security practices in place as a condition of coverage. This mostly included employee training and cybersecurity best practices.
More Coverage Likely Coming
Given the potential for losses involved and the increasing threat of cyberattacks on businesses, it’s likely that cyber risk insurance coverage is going to be picked up by more companies throughout the coming years. Business is becoming ever-increasingly connected, and thus it will need to be increasingly protected. With new state-level data in hand, companies and policy makers will have a deeper understanding of where we are today and where we can go.
By Nick Dmitrovich with data from Indiana University.
