Cyber risk has become the top concern for risk managers, according to a Business Insurance December survey. Indeed, at 56% of respondents, cyber risk outpaced worries over threats of changing legislation, at 53%, and natural disasters, at 36%.
The escalating concern over cyber risk was evident in answers to another survey question. When asked whether their company has a dedicated cyber risk insurance policy, 52% of respondents answered yes, while 38% said no and 10% were unsure.
The survey queried 242 risk managers, 200 insurers, 407 brokers, 65 cyber risk consultants and 57 other consultants or risk-management service providers (see data, page 16).
Damien Magnuson, Los Angeles-based senior vice president at ExecutivePerils Inc., said he has noticed an increased demand for dedicated cyber risk insurance.
“We've been pushing cyber liabilities for over a decade, but recently it has really come to the fore, and more companies and risk managers are exploring it,” he said.
Likewise, Tracie Grella, global head of professional liability for American International Group Inc., said the company is seeing rapid growth in demand for cyber risk policies in the U.S. and abroad.
“For stand-alone cyber policies, our sales increased 30% last year and 28% the year before that, so there's a significant amount of growth,” Ms. Grella said. “In the last 18 months, we extended our policy area from three countries — the U.S., Canada and Japan — to over 50 countries.”
Ms. Grella credits broader awareness of cyber risk in light of highly publicized data breaches, as well as an awareness of the limits of other types of liability insurance to respond to cyber risk, as reasons for the growing popularity of dedicated cyber risk policies.
“People now realize that this can happen to anyone, even if your technology is really good,” she said.
The declining cost of obtaining cyber coverage is another factor, Mr. Magnuson said.
“Ten years ago it was an expensive coverage, and only the largest technology companies were buying it,” he said. “Now the numbers of carriers in the market and capacity has risen, and prices are low. For smaller and midsized markets, prices are very competitive.”
In addition to the increasing use of cyber risk insurance, the survey also probed internal attitudes and organizational structures in regard to cyber risk. When asked who has overall responsibility for their company's security/cyber risk management effort, chief information officer/information technology leader was the most frequently selected at 57%.
Yet Kevin Kalinich, Chicago-based global practice leader for cyber risk insurance at Aon P.L.C., said companies need to guard against viewing cyber risk as solely a technology issue.
“It not just firewalls and anti-virus protection,” Mr. Kalinich said. “It's equally about policies and procedures.”
Accordingly, companies should assemble a multidisciplinary team with risk managers, treasurers and information technology staff working in a defined process to determine the scope of the company's cyber exposures and classify them according to importance and how critical they are to the organization, he said.
Ms. Grella agreed the issue of cyber risk transcends technology and requires teamwork.
“Having strong processes in place is certainly part of the equation, because IT alone can't protect an organization,” she said. “It's an enterprise-wide risk management issue.”
Mr. Kalinich also advises companies to seek help from qualified third parties to quantify cyber risk.
“The idea of a third-party audit of your practices for cyber is a good risk management tool and will put you in better shape for getting better coverage at a lower price with insurance companies,” he said. “Underwriters are extremely keen on having an independent, third-party assessment of your IT security standards.”