Just 33% of companies in Europe and the U.S. have a stand-alone cyber insurance policy, and "confusion still reigns" about cyber coverage, specialist insurer Hiscox Ltd. said in its 2018 Cyber Readiness Report.
The Feb. 6 report added that there were "major shortcomings" in overall cyber-security readiness at 73% of firms.
The report is based on a survey conducted by Forrester Consulting on behalf of Hiscox. It polled 4,103 people responsible for their company's cyber security across the U.K., the U.S., Germany, Spain and the Netherlands. Some 70% of the respondents were from organizations with fewer than 250 employees, while the remainder came from large firms with more than 250 staff.
Slow take-up
The survey revealed that in addition to the 33% of companies that already had cover, 25% plan to take out cyber insurance in the next 12 months, but 38% have no plans to buy cover and 4% do not even know what it is.
When asked for reasons for not taking out cyber cover, 46% of those respondents who said they would not take it out replied that cyber insurance was not relevant for them, while 27% believed it is too expensive. Some 19% said cyber policies are "so complicated I don't understand what the insurance would cover me for."
The report said top executives were more resistant to the idea of cyber insurance than their employees, with only 28% saying they had taken out cyber cover, while 44% had no plans to do so.
According to the report, "confusion still reigns" about the cover, as "large numbers" of respondents believe their general business insurance policy covers them for various cyber incidents. It said 64% of all respondents think a general policy covers them in whole or in part for a data breach resulting in the loss of customer data, and 57% think it covers them for a distributed denial of service attack, where servers are flooded with messages until they collapse.
Hiscox said the big question was whether the EU General Data Protection Regulation, or GDPR, which comes into force in May, would boost cyber-insurance take-up in Europe.
The new regulation forces companies to publicize data breaches and increases the fines for such breaches. Companies not domiciled in Europe that have operations there will also fall into the scope of GDPR. "This could be a watershed moment," Hiscox said.
Large number of 'cyber novices'
The report evaluated companies' cyber readiness by scoring their cyber strategy and its execution out of five, with five being "excellent." Companies that scored 4.0 or more in both strategy and execution were deemed to be "experts." Those that scored more than 4.0 in one of the two categories were deemed "cyber intermediates," while the rest were classed as "cyber novices." Only 11% qualified as experts, with 16% considered intermediates, meaning that 73% were deemed to be novices.
Hiscox cyber CEO Gareth Wharton said in the report: "As an end of term report, it might have the words 'can do better' scrawled on it in red ink. It highlights the cyber readiness shortcomings of the majority of the organizations in our sample, particularly the smaller ones."
