Cyber Insurance May Give "False Sense of Security" to Some Executives

Several rows of binary bits are superimposed over a hooded cyber hacker on a laptop.

August 02, 2019 |

Several rows of binary bits are superimposed over a hooded cyber hacker on a laptop.

Chief financial officers (CFOs) said that they expected their insurers to cover a wide range of cyber-attack-related losses despite some being nearly impossible to insure.

According to a recent FM Global survey, 7 in 10 senior financial executives at the world's largest companies believe their insurer would cover most or all of the losses their company would incur in a cyber attack. However, in fact, many of the losses they foresee are rarely covered by insurance.

Of the more than 100 CFOs and other senior financial executives, 45 percent said that they anticipated their insurer will cover "most" related losses from a cyber-security event, and 26 percent said they expected their insurer will cover "all" related losses. 

The "effects" financial executives expected to experience in a substantial cyber-security event are not typically covered by insurance policies and include the following.

  • Degradation of the company's brand/reputation (46 percent said that this was a likely effect of a cyber-security event)
  • Increased scrutiny from the investment community (40 percent)
  • Decline in revenue/earnings (38 percent)
  • Introduction of regulatory compliance problems (35 percent)
  • Decline in market share (24 percent)
  • Decline in share price (24 percent)

"New costs to mitigate the loss" was also cited as an expected effect from a cyber-security event by 53 percent of senior financial executives. FM Global said that many new costs—including expenses related to restoring data or equipment—would be covered by first-party cyber insurance or property insurance and that litigation and customer notification costs would be covered by third-party insurance. Yet, the study said that other costs would likely have to be absorbed by the victimized company. Moreover, more than half said that financial recovery from a substantial cyber-security event would take months to years.

"As essential as cyber insurance is, the findings indicate financial executives may be deriving a false sense of security from it," said Kevin Ingram, executive vice president and CFO at FM Global. "While insurance is an essential part of the risk management formula, there are losses related to a cyber attack that insurance cannot cover—like damage to a company's reputation, lost market share, missed growth opportunities, decreased valuation, and losses stemming from increased cost of capital."

August 02, 2019