Understanding New Findings from the Ponemon Institute

Posted by Mark Greisiger

A Q&A with Ozzie Fonseca of Experian® Data Breach Resolution
Organizations are increasingly addressing cyber risk, and Ponemon Institute’s new study titled “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age” explores the current attitudes business leaders have toward managing security threats and the steps they are taking to minimize them. I spoke with Ozzie Fonseca, senior director, Experian Data Breach Resolution, about what the survey uncovered.

What were some of the most surprising findings of the Ponemon survey?
To me, the most surprising finding was the fact that most companies are now viewing cyber risk as an equal or greater threat than natural disasters, business interruption and fires. For the longest time, cyber insurance was around but it was not accepted as a need. Recently, over the last couple of years, that has really changed. While the study itself doesn’t go into the reasons why, I think we can assume this is happening because companies are:

  1. Witnessing the very pervasive nature of data breaches—they are happening all of the time.
  2. Realizing the significant financial burden that these incidents pose on an organization.
  3. Understanding that they have to be ready and arm themselves with all of the tools out there and cyber insurance policies are an important tool.

What do companies most need to know about cyber risk insurance policies? What is the current perception out there?
I think it’s important for an organization to make sure that they thoroughly read and understand what’s covered and what’s not and how their policy works. In our study we found that 70 percent of companies that have been affected by data breaches are now looking to get a policy. For these organizations, the costs are no longer hypotheticals—there are real numbers at play. And 62 percent of companies we spoke to feel that cyber insurance premiums are quite reasonable. A few are still skeptical as to whether these policies are useful or not but of the people surveyed 70 percent either have or are actively looking for insurance while only 30 percent have no interest in purchasing a policy at this time. Several years ago it was the other way around, so that’s a big difference.

The study shows that 62 percent of companies felt their security “posture” improved when they purchased insurance. What are the reasons for this?
In a nutshell, insured companies are more confident and prepared to deal with the threat of cyber breaches. When you have a policy the insurer will ask you tough questions you’ve never asked yourself and in answering them you will learn much more about the risks out there and how to mitigate them. Moreover, often the insurer will ask the client to undergo a NetDiligence® cyber risk assessment to reaffirm reasonable safeguard practices and suggest improvements for any weak spots. You will also grasp the policies and services that need to be in place, such as notification support and credit monitoring.

What are the ramifications of this study, for companies and for insurers?
For everyone, the main takeaway is that having a policy will better prepare you to deal with a data breach. At the same time, cyber risk insurance is getting to the point of mass adoption so insurers can spend less time educating the market about cyber insurance—they can concentrate on fielding requests because they will continue to see growth in this area in the future.

In summary…
This research reinforces a positive trend, that risk managers are becoming more knowledgeable about their cyber risk (including their significant legal liabilities should they suffer a breach caused by anemic security practices), and the many cyber liability insurance solutions available to help them cede this risk exposure. Our own NetDiligence 2013 Cyber Liability & Data Breach Insurance Claims study (click here to download or see the eRisk Hub) shows that even a modest data breach in a small organization can still result in sizeable dollar amounts being paid out to remediate and respond to the event. As such, cyber breach insurance coverage is no longer a luxury.